CVE-2024-10044

Name of the Vulnerable Software and Affected Versions lm-sys/fastchat versions as of commit e208d5677c6837d590b81cb03847c0b9de100765

Description A Server-Side Request Forgery (SSRF) vulnerability exists in the "POST /worker generate stream" API endpoint of the Controller API Server. This issue allows attackers to exploit the victim controller API server's credentials to perform unauthorized web actions or access unauthorized web resources by combining it with the "POST /register worker" endpoint.

Recommendations As a temporary workaround, consider disabling the POST /worker generate stream API endpoint until a patch is available. Restrict access to the POST /register worker endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.