CVE-2024-6095
published 2024-07-06CVE-2024-6095: A vulnerability in the /models/apply endpoint of mudler/localai versions 2.15.0 allows for Server-Side Request Forgery (SSRF) and partial Local File Inclusion…
PriorityP341medium5.8CVSS 3.1
AVNACLPRNUINSCCLINAN
EXPLOIT
EPSS
2.48%
82.5th percentile
A vulnerability in the /models/apply endpoint of mudler/localai versions 2.15.0 allows for Server-Side Request Forgery (SSRF) and partial Local File Inclusion (LFI). The endpoint supports both http(s):// and file:// schemes, where the latter can lead to LFI. However, the output is limited due to the length of the error message. This vulnerability can be exploited by an attacker with network access to the LocalAI instance, potentially allowing unauthorized access to internal HTTP(s) servers and partial reading of local files. The issue is fixed in version 2.17.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mudler | localai | < 2.17.0 | 2.17.0 |
| mudler | mudler_localai | >= unspecified < 2.17 | 2.17 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by monitoring POST requests to /models/apply containing a 'url' field with a file:// scheme (LFI) or http(s):// pointing to internal resources (SSRF). ↗
- →Look for the distinctive error string ': cannot unmarshal !!str `root:x:...`' in JSON responses from /models/jobs/<uuid>, which confirms successful partial LFI of /etc/passwd. ↗
- →The attack is a two-step flow: (1) POST to /models/apply with a malicious file:// or http:// URL to obtain a job UUID, then (2) GET /models/jobs/<uuid> to retrieve the partial file content embedded in the error message. ↗
- →Use the Shodan favicon hash -976853304 to identify exposed LocalAI instances on the internet that may be vulnerable. ↗
- ·The LFI output is limited — only a partial file read is possible because the leaked content is constrained by the length of the error message returned. ↗
- ·No authentication is required to reach the vulnerable endpoint, meaning any network-accessible LocalAI instance is at risk without additional network controls. ↗
CVSS provenance
nvdv3.15.8MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
nvdv3.05.8MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
LocalAI - Partial Local File Read
nuclei·CVSS 5.8
CVE-2024-6095 [MEDIUM] LocalAI - Partial Local File Read
LocalAI - Partial Local File Read
A vulnerability in the /models/apply endpoint of mudler/localai versions 2.15.0 allows for Server-Side Request Forgery (SSRF) and partial Local File Inclusion (LFI). The endpoint supports both http(s)-// and file-// schemes, where the latter can lead to LFI. However, the output is limited due to the length of the error message. This vulnerability can be exploited by an attacker with network access to the LocalAI instance, potentially allowing unauthorized access to internal HTTP(s) servers and partial reading of local files. The issue is fixed in version 2.17.
Template:
id: CVE-2024-6095
info:
name: LocalAI - Partial Local File Read
author: iamnoooob,pdresearch,rootxharsh
severity: medium
description: |
A vulnerability in the /models/apply endpoint of
No writeups or analysis indexed.
2024-07-06
Published