CVE-2024-12376 Overview
CVE-2024-12376 is a Server-Side Request Forgery (SSRF) vulnerability in the lm-sys/fastchat web server, affecting git commit 2c68a13. The flaw allows unauthenticated remote attackers to coerce the server into issuing arbitrary HTTP requests. Attackers can reach internal-only endpoints, including cloud instance metadata services such as AWS Instance Metadata Service (IMDS). Successful exploitation exposes sensitive resources that are otherwise unreachable from the public network, including temporary IAM credentials. The vulnerability is categorized under CWE-918 (Server-Side Request Forgery).
Critical Impact
Unauthenticated attackers can force fastchat to fetch attacker-controlled URLs, enabling access to AWS metadata credentials and other internal services.
Affected Products
- lm-sys/fastchat git commit 2c68a13
- FastChat builds referenced by CPE cpe:2.3:a:lm-sys:fastchat:2024-10-05
- Deployments exposing the FastChat web server to untrusted networks
Discovery Timeline
- 2025-03-20 - CVE-2024-12376 published to NVD
- 2026-06-17 - Last updated in NVD database
- Vulnerability details published in the Huntr Bug Bounty Report
Technical Details for CVE-2024-12376
Vulnerability Analysis
FastChat is an open platform for training, serving, and evaluating large language model (LLM) chatbots. The web server component accepts user-supplied input that is subsequently used to construct outbound HTTP requests. Because the input is not validated against an allowlist of hosts or schemes, attackers can substitute URLs pointing to internal infrastructure. The server then dereferences those URLs from its own network position, returning responses or side-effects to the attacker. This class of flaw is particularly dangerous in cloud-hosted deployments, where the 169.254.169.254 metadata endpoint issues short-lived IAM credentials to any process on the instance.
Root Cause
The root cause is missing validation of URL parameters consumed by the FastChat web server before they are passed to an HTTP client. The server treats user-controlled URLs as trusted destinations. No scheme filtering, host allowlisting, or metadata-endpoint blocking is applied prior to the outbound fetch.
Attack Vector
Exploitation requires only network access to the FastChat web interface. No authentication or user interaction is needed. An attacker submits a crafted request that instructs the server to retrieve a URL such as http://169.254.169.254/latest/meta-data/iam/security-credentials/. The server returns the metadata service response, disclosing AWS role credentials that the attacker can then use to pivot into the cloud environment. Internal services on RFC1918 addresses, loopback ports, and Kubernetes API endpoints are similarly reachable.
See the Huntr Bug Bounty Report for the technical proof-of-concept details.
Detection Methods for CVE-2024-12376
Indicators of Compromise
- Outbound HTTP requests from the FastChat host to 169.254.169.254, metadata.google.internal, or metadata.azure.com
- FastChat process connections to loopback (127.0.0.1) or RFC1918 addresses on non-standard ports
- Web server access logs containing URL parameters with internal IPs, file://, or gopher:// schemes
- Unexpected calls to AWS Security Token Service (STS) from IAM roles bound to the FastChat instance
Detection Strategies
- Inspect FastChat request logs for parameters containing URLs that resolve to internal or link-local ranges
- Correlate FastChat process telemetry with outbound connections to cloud metadata endpoints
- Deploy egress network policies and alert on any FastChat-originated traffic that violates them
- Monitor CloudTrail for use of instance-role credentials from IP addresses outside the FastChat host
Monitoring Recommendations
- Enable IMDSv2 on AWS and alert on any IMDSv1 access attempts
- Log and retain full HTTP request bodies at the FastChat reverse proxy for forensic review
- Baseline normal outbound destinations for FastChat and alert on deviations
How to Mitigate CVE-2024-12376
Immediate Actions Required
- Restrict network egress from FastChat hosts to only required destinations
- Enforce AWS IMDSv2 and set the metadata hop limit to 1 to block SSRF-based credential theft
- Place FastChat behind an authenticated reverse proxy and remove public exposure where feasible
- Rotate any IAM credentials that may have been retrieved from affected instances
Patch Information
No vendor advisory or patched release is listed in the NVD data for CVE-2024-12376 at the time of publication. Operators should track the Huntr Bug Bounty Report and the upstream lm-sys/fastchat repository for a fix, and apply a validated build once released.
Workarounds
- Add a URL allowlist in front of FastChat that rejects requests targeting link-local, loopback, and RFC1918 ranges
- Block outbound connections to 169.254.169.254 at the host firewall or via a network security group
- Run FastChat with a minimally privileged IAM role that has no sensitive permissions
- Use a dedicated egress proxy that filters schemes to http/https only and enforces DNS pinning
# Example AWS CLI: enforce IMDSv2 and restrict hop limit to mitigate SSRF credential theft
aws ec2 modify-instance-metadata-options \
--instance-id i-0123456789abcdef0 \
--http-tokens required \
--http-put-response-hop-limit 1 \
--http-endpoint enabled
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

