CVE-2024-12766

Name of the Vulnerable Software and Affected Versions parisneo/lollms-webui version V13 (feather)

Description The issue is a Server-Side Request Forgery (SSRF) vulnerability in the "POST /api/proxy" REST API. Attackers can exploit this to access unauthorized web resources by specifying the JSON parameter {"url":"http://steal.target"}. Existing security mechanisms such as forbid remote access(lollmsElfServer), lollmsElfServer.config.headless server mode, and check access(lollmsElfServer, request.client id) do not protect against this vulnerability.

Recommendations As a temporary workaround, consider disabling the POST /api/proxy API endpoint until a patch is available. Restrict access to the lollmsElfServer to minimize the risk of exploitation. Avoid using the url parameter in the affected API endpoint until the issue is resolved.