cbcvebase.
CVE-2024-6095
published 2024-07-06

CVE-2024-6095: A vulnerability in the /models/apply endpoint of mudler/localai versions 2.15.0 allows for Server-Side Request Forgery (SSRF) and partial Local File Inclusion…

PriorityP341medium5.8CVSS 3.1
AVNACLPRNUINSCCLINAN
EXPLOIT
EPSS
2.48%
82.5th percentile
A vulnerability in the /models/apply endpoint of mudler/localai versions 2.15.0 allows for Server-Side Request Forgery (SSRF) and partial Local File Inclusion (LFI). The endpoint supports both http(s):// and file:// schemes, where the latter can lead to LFI. However, the output is limited due to the length of the error message. This vulnerability can be exploited by an attacker with network access to the LocalAI instance, potentially allowing unauthorized access to internal HTTP(s) servers and partial reading of local files. The issue is fixed in version 2.17.

Affected

2 ranges
VendorProductVersion rangeFixed in
mudlerlocalai< 2.17.02.17.0
mudlermudler_localai>= unspecified < 2.172.17

Detection & IOCsextracted from sources · hover to see the quote

url/models/apply
path/models/apply
path/models/jobs/{{uuid}}
command{"url":"file:///etc/passwd"}
  • Detect exploitation attempts by monitoring POST requests to /models/apply containing a 'url' field with a file:// scheme (LFI) or http(s):// pointing to internal resources (SSRF).
  • Look for the distinctive error string ': cannot unmarshal !!str `root:x:...`' in JSON responses from /models/jobs/<uuid>, which confirms successful partial LFI of /etc/passwd.
  • The attack is a two-step flow: (1) POST to /models/apply with a malicious file:// or http:// URL to obtain a job UUID, then (2) GET /models/jobs/<uuid> to retrieve the partial file content embedded in the error message.
  • Use the Shodan favicon hash -976853304 to identify exposed LocalAI instances on the internet that may be vulnerable.
  • ·The LFI output is limited — only a partial file read is possible because the leaked content is constrained by the length of the error message returned.
  • ·No authentication is required to reach the vulnerable endpoint, meaning any network-accessible LocalAI instance is at risk without additional network controls.

CVSS provenance

nvdv3.15.8MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
nvdv3.05.8MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.