PT-2025-12109 · Unknown · Lm-Sys/Fastchat

Published

2025-03-20

Updated

2025-03-21

CVE-2024-11603

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions lm-sys/fastchat version 0.2.36

Description A Server-Side Request Forgery (SSRF) issue exists, allowing an attacker to send crafted requests due to insufficient validation of the path parameter in the "/queue/join?" endpoint. This can lead to unauthorized access to internal networks or the AWS metadata endpoint, potentially exposing sensitive data and compromising internal servers.

Recommendations For lm-sys/fastchat version 0.2.36, consider disabling access to the "/queue/join?" endpoint until a patch is available to prevent exploitation. Restricting the use of the vulnerable endpoint can help minimize the risk of unauthorized access to internal networks.

Exploit

Fix

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-918

Related Identifiers

CVE-2024-11603

GHSA-H254-G997-685C

Affected Products

Lm-Sys/Fastchat

PT-2025-12109 · Unknown · Lm-Sys/Fastchat

CVE-2024-11603

Weakness Enumeration

Related Identifiers

Affected Products

References · 6