PT-2026-60507 · Unknown · Text-Generation-Inference
CVSS v3.1
8.6
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
text-generation-inference versions prior to 3.3.8
Description
A server-side request forgery (SSRF) issue exists in the OpenAI-compatible multimodal chat completions endpoint. Unauthenticated network attackers can force the server to issue arbitrary HTTP GET requests by providing a crafted
image url value within the chat message content. This occurs because the fetch image() function in router/src/validation.rs does not validate private, loopback, link-local, or cloud metadata target addresses. Additionally, the reqwest HTTP client follows redirects by default, allowing attackers to bypass scheme checks through redirect chains to access internal services and cloud instance-metadata endpoints for internal port scanning and credential theft. Real-world incidents of this issue being exploited have been reported.Recommendations
Update text-generation-inference to version 3.3.8 or later.
As a temporary mitigation, restrict access to the OpenAI-compatible multimodal chat completions endpoint or avoid using the
image url parameter until the update is applied.Exploit
Fix
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Text-Generation-Inference