cbcvebase.
CVE-2024-3135
published 2024-04-01

CVE-2024-3135: A Cross-Site Request Forgery (CSRF) vulnerability exists in the mudler/localai application, allowing attackers to craft malicious webpages that, when visited…

PriorityP429medium6.5CVSS 3.0
AVNACLPRNUIRSUCNINAH
EPSS
0.30%
21.3th percentile
A Cross-Site Request Forgery (CSRF) vulnerability exists in the mudler/localai application, allowing attackers to craft malicious webpages that, when visited by a victim, perform unauthorized actions on the victim's local LocalAI instance without their consent. This vulnerability enables attackers to exhaust system resources, consume credits, and fill disk space by making numerous resource-intensive API calls, such as generating images or uploading files. The vulnerability stems from the application's acceptance of simple request content-types without requiring CSRF tokens or implementing other CSRF mitigation measures. Successful exploitation does not require network access to the vulnerable LocalAI environment.

Affected

3 ranges
VendorProductVersion rangeFixed in
github.comgo-skynet_localai0 – 2.7.0
mudlerlocalai< 2.17.02.17.0
mudlermudler_localaiunspecified – latest
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.