CVE-2024-10044 Overview
A Server-Side Request Forgery (SSRF) vulnerability exists in the POST /worker_generate_stream API endpoint of the Controller API Server in lm-sys/fastchat, as of commit e208d5677c6837d590b81cb03847c0b9de100765. This vulnerability allows attackers to exploit the victim controller API server's credentials to perform unauthorized web actions or access unauthorized web resources by combining it with the POST /register_worker endpoint.
Critical Impact
Attackers can leverage this SSRF vulnerability to make unauthorized requests using the server's credentials, potentially accessing internal services, cloud metadata endpoints, or other protected resources that trust the FastChat server.
Affected Products
- lm-sys FastChat (commit e208d5677c6837d590b81cb03847c0b9de100765 and related versions)
- FastChat Controller API Server version 2024-09-23
- FastChat deployments exposing the Controller API endpoints
Discovery Timeline
- 2024-12-30 - CVE CVE-2024-10044 published to NVD
- 2025-07-29 - Last updated in NVD database
Technical Details for CVE-2024-10044
Vulnerability Analysis
This SSRF vulnerability resides in the FastChat Controller API Server, specifically within the worker management functionality. FastChat is a popular open-source platform for training, serving, and evaluating large language model-based chatbots. The vulnerability enables attackers to abuse the server-side request capabilities of the controller to reach internal or external resources that would otherwise be inaccessible.
The exploitation chain involves two API endpoints working in conjunction. First, an attacker can use the /register_worker endpoint to register a malicious worker with an attacker-controlled URL. Subsequently, when the /worker_generate_stream endpoint processes requests intended for that worker, it makes server-side requests to the attacker-specified destination. This allows the attacker to pivot through the victim server and access resources using the server's network position and credentials.
The vulnerability has a changed scope impact, meaning successful exploitation can affect resources beyond the vulnerable component's security scope. This is particularly dangerous in cloud environments where internal metadata services or other microservices may be accessible from the FastChat server's network position.
Root Cause
The root cause is insufficient validation and sanitization of worker URLs during the registration and request forwarding process. The Controller API Server fails to properly restrict which URLs can be registered as worker endpoints and subsequently fails to validate the destinations before making server-side requests. This allows arbitrary URL injection through the /register_worker endpoint, which is then executed when the controller attempts to communicate with the registered worker through /worker_generate_stream.
Attack Vector
The attack exploits the trust relationship between the FastChat Controller and its registered workers. An attacker can perform the following attack sequence:
- The attacker sends a POST request to /register_worker with a malicious URL pointing to an internal service, cloud metadata endpoint, or other target resource
- The Controller API Server accepts this registration without proper URL validation
- When subsequent requests are processed through /worker_generate_stream, the controller makes authenticated requests to the attacker-specified URL
- The attacker receives responses from internal resources or can trigger actions on behalf of the FastChat server
This attack requires network access to the Controller API endpoints but does not require any authentication or user interaction, making it highly exploitable in exposed deployments. For detailed technical information, refer to the Huntr Bounty Report.
Detection Methods for CVE-2024-10044
Indicators of Compromise
- Unusual worker registrations with internal IP addresses (e.g., 169.254.169.254, 127.0.0.1, 10.x.x.x, 192.168.x.x)
- Worker URLs pointing to cloud metadata services (e.g., AWS 169.254.169.254/latest/meta-data/)
- Unexpected outbound connections from the FastChat Controller to internal services
- Multiple worker registrations from external sources with suspicious URL patterns
Detection Strategies
- Monitor the /register_worker endpoint for requests containing internal IP addresses or cloud metadata URLs
- Implement network traffic analysis to detect unusual outbound connections from FastChat server processes
- Deploy web application firewall (WAF) rules to inspect and block SSRF payloads in worker registration requests
- Configure logging for all worker registration events and correlate with network flow data
Monitoring Recommendations
- Enable verbose logging on the FastChat Controller API Server to capture all worker registration and stream generation requests
- Set up alerts for requests to /worker_generate_stream that result in connections to internal network ranges
- Monitor for repeated failed connection attempts that may indicate SSRF probing activity
- Implement egress filtering monitoring to detect unauthorized outbound requests from the FastChat deployment
How to Mitigate CVE-2024-10044
Immediate Actions Required
- Restrict network access to the FastChat Controller API endpoints using firewall rules or network segmentation
- Implement URL allowlisting for worker registration to only accept known, trusted worker endpoints
- Deploy egress filtering to prevent the FastChat server from making requests to internal networks or cloud metadata services
- Review recent worker registrations for any suspicious URLs and remove unauthorized entries
Patch Information
Users should monitor the lm-sys/fastchat repository for security updates addressing this vulnerability. Review the Huntr Bounty Report for the latest information on remediation status. Until an official patch is available, implement the workarounds described below to reduce exposure.
Workarounds
- Deploy a reverse proxy or API gateway in front of the Controller API with URL validation rules to block SSRF payloads
- Implement network-level controls to prevent the FastChat Controller from accessing internal services or cloud metadata endpoints
- Use network segmentation to isolate the FastChat deployment from sensitive internal resources
- Consider disabling or restricting access to the /register_worker endpoint if dynamic worker registration is not required in your deployment
# Example iptables rules to block common SSRF targets
# Block access to AWS metadata service
iptables -A OUTPUT -d 169.254.169.254 -j DROP
# Block access to internal networks from FastChat container/server
iptables -A OUTPUT -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -d 192.168.0.0/16 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
