CVE-2024-11603
HIGHlm-sys fastchat 0.2.36 - Server-Side Request Forgery via Queue Join Endpoint Path Parameter
Title source: llmDescription
A Server-Side Request Forgery (SSRF) vulnerability exists in lm-sys/fastchat version 0.2.36. The vulnerability is present in the `/queue/join?` endpoint, where insufficient validation of the path parameter allows an attacker to send crafted requests. This can lead to unauthorized access to internal networks or the AWS metadata endpoint, potentially exposing sensitive data and compromising internal servers.
References (1)
Core 1
Core References
Exploit, Third Party Advisory
https://huntr.com/bounties/89f1158d-4a75-4000-a1bd-f82dd1a62bff
Scores
CVSS v3
7.5
EPSS
0.0025
EPSS Percentile
48.7%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-918
Status
published
Products (2)
lm-sys/fastchat
0.2.36
pypi/fschat
0PyPI
Published
Mar 20, 2025
Tracked Since
Feb 18, 2026