CVE-2024-11603 Overview
CVE-2024-11603 is a Server-Side Request Forgery (SSRF) vulnerability in lm-sys/fastchat version 0.2.36. The flaw resides in the /queue/join? endpoint, which fails to properly validate the path parameter. An unauthenticated remote attacker can craft requests that force the FastChat server to issue outbound HTTP requests to arbitrary destinations.
Attackers can pivot from the vulnerable server into internal networks or query cloud metadata services such as the AWS Instance Metadata Service (IMDS). This class of SSRF frequently leads to credential theft and lateral movement in cloud-hosted large language model (LLM) deployments.
Critical Impact
Unauthenticated attackers can coerce the FastChat server into reaching internal-only resources and the AWS metadata endpoint, exposing IAM credentials and sensitive internal services.
Affected Products
- lm-sys/fastchat version 0.2.36
- FastChat deployments serving the Gradio queue endpoint
- Cloud-hosted FastChat instances with access to instance metadata services
Discovery Timeline
- 2025-03-20 - CVE-2024-11603 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2024-11603
Vulnerability Analysis
FastChat is an open platform for training, serving, and evaluating LLM-based chatbots. It exposes a web interface backed by Gradio, which routes queued requests through the /queue/join? endpoint. This endpoint accepts a path parameter that is consumed by server-side request handling logic without sufficient sanitization.
Because the endpoint does not restrict target hosts, schemes, or IP ranges, an attacker can supply URLs pointing to internal services or link-local metadata addresses such as 169.254.169.254. The FastChat process then performs the outbound request on the attacker's behalf, returning or exposing data from those internal endpoints. The weakness is classified under [CWE-918] Server-Side Request Forgery.
Root Cause
The root cause is missing allowlist validation on the path parameter of /queue/join?. FastChat trusts caller-supplied URLs and does not enforce host restrictions, scheme filtering, or blocks against private and link-local address space defined in RFC 1918 and RFC 3927.
Attack Vector
The vulnerability is network-reachable and requires no authentication or user interaction. An attacker sends a crafted HTTP request to /queue/join? with a path value that references an internal IP, hostname, or the cloud metadata service. The vulnerability affects confidentiality only. It does not directly modify data or degrade availability, but exposed IAM credentials can enable follow-on attacks that do.
Refer to the Huntr Bounty Report for the original disclosure and proof-of-concept context.
Detection Methods for CVE-2024-11603
Indicators of Compromise
- Outbound HTTP requests from the FastChat host to 169.254.169.254 or other link-local addresses
- Requests to /queue/join? containing path values with absolute URLs, private IP ranges, or metadata hostnames
- Unexpected access patterns to internal-only services originating from the FastChat application user
- AWS CloudTrail entries showing use of instance role credentials from external IPs
Detection Strategies
- Inspect application and reverse-proxy logs for /queue/join? requests where the path parameter contains schemes such as http://, https://, or file://
- Alert on any egress from the FastChat process to RFC 1918, RFC 6598, or 169.254.0.0/16 networks
- Correlate FastChat access logs with cloud audit logs to identify metadata service access that follows external HTTP requests
Monitoring Recommendations
- Enable IMDSv2 on AWS to require session tokens and block simple SSRF-based credential theft
- Deploy egress filtering on the FastChat host and log denied outbound connections
- Baseline normal outbound traffic from LLM serving hosts and alert on deviations
How to Mitigate CVE-2024-11603
Immediate Actions Required
- Restrict network egress from FastChat servers to only required destinations
- Enforce IMDSv2 on all AWS instances running FastChat to require token-based metadata access
- Place FastChat behind an authenticated reverse proxy and rate-limit /queue/join?
- Audit IAM roles attached to FastChat hosts and remove unnecessary permissions
Patch Information
No vendor advisory URL is listed in the CVE record at the time of publication. Operators should track the lm-sys/FastChat GitHub repository for versions later than 0.2.36 and apply upstream fixes when available. Until a patched release is confirmed, treat the mitigations below as required controls.
Workarounds
- Block or rewrite requests to /queue/join? at the reverse proxy when the path parameter contains external URLs or private IP literals
- Deny outbound traffic from the FastChat host to 169.254.169.254 and internal management ranges
- Run FastChat in a network segment with no route to sensitive internal services
- Remove or scope down cloud instance IAM roles so that stolen credentials have minimal privilege
# Example: block metadata access from the FastChat host (Linux iptables)
iptables -A OUTPUT -d 169.254.169.254 -j DROP
# Example: enforce IMDSv2 on an existing AWS instance
aws ec2 modify-instance-metadata-options \
--instance-id i-0123456789abcdef0 \
--http-tokens required \
--http-endpoint enabled
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

