Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2024-12376

CVE-2024-12376: Lm-sys Fastchat SSRF Vulnerability

CVE-2024-12376 is a Server-Side Request Forgery flaw in Lm-sys Fastchat that enables attackers to access internal resources like AWS metadata credentials. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2024-12376 Overview

CVE-2024-12376 is a Server-Side Request Forgery (SSRF) vulnerability in the lm-sys/fastchat web server, affecting git commit 2c68a13. The flaw allows unauthenticated remote attackers to coerce the server into issuing arbitrary HTTP requests. Attackers can reach internal-only endpoints, including cloud instance metadata services such as AWS Instance Metadata Service (IMDS). Successful exploitation exposes sensitive resources that are otherwise unreachable from the public network, including temporary IAM credentials. The vulnerability is categorized under CWE-918 (Server-Side Request Forgery).

Critical Impact

Unauthenticated attackers can force fastchat to fetch attacker-controlled URLs, enabling access to AWS metadata credentials and other internal services.

Affected Products

  • lm-sys/fastchat git commit 2c68a13
  • FastChat builds referenced by CPE cpe:2.3:a:lm-sys:fastchat:2024-10-05
  • Deployments exposing the FastChat web server to untrusted networks

Discovery Timeline

  • 2025-03-20 - CVE-2024-12376 published to NVD
  • 2026-06-17 - Last updated in NVD database
  • Vulnerability details published in the Huntr Bug Bounty Report

Technical Details for CVE-2024-12376

Vulnerability Analysis

FastChat is an open platform for training, serving, and evaluating large language model (LLM) chatbots. The web server component accepts user-supplied input that is subsequently used to construct outbound HTTP requests. Because the input is not validated against an allowlist of hosts or schemes, attackers can substitute URLs pointing to internal infrastructure. The server then dereferences those URLs from its own network position, returning responses or side-effects to the attacker. This class of flaw is particularly dangerous in cloud-hosted deployments, where the 169.254.169.254 metadata endpoint issues short-lived IAM credentials to any process on the instance.

Root Cause

The root cause is missing validation of URL parameters consumed by the FastChat web server before they are passed to an HTTP client. The server treats user-controlled URLs as trusted destinations. No scheme filtering, host allowlisting, or metadata-endpoint blocking is applied prior to the outbound fetch.

Attack Vector

Exploitation requires only network access to the FastChat web interface. No authentication or user interaction is needed. An attacker submits a crafted request that instructs the server to retrieve a URL such as http://169.254.169.254/latest/meta-data/iam/security-credentials/. The server returns the metadata service response, disclosing AWS role credentials that the attacker can then use to pivot into the cloud environment. Internal services on RFC1918 addresses, loopback ports, and Kubernetes API endpoints are similarly reachable.

See the Huntr Bug Bounty Report for the technical proof-of-concept details.

Detection Methods for CVE-2024-12376

Indicators of Compromise

  • Outbound HTTP requests from the FastChat host to 169.254.169.254, metadata.google.internal, or metadata.azure.com
  • FastChat process connections to loopback (127.0.0.1) or RFC1918 addresses on non-standard ports
  • Web server access logs containing URL parameters with internal IPs, file://, or gopher:// schemes
  • Unexpected calls to AWS Security Token Service (STS) from IAM roles bound to the FastChat instance

Detection Strategies

  • Inspect FastChat request logs for parameters containing URLs that resolve to internal or link-local ranges
  • Correlate FastChat process telemetry with outbound connections to cloud metadata endpoints
  • Deploy egress network policies and alert on any FastChat-originated traffic that violates them
  • Monitor CloudTrail for use of instance-role credentials from IP addresses outside the FastChat host

Monitoring Recommendations

  • Enable IMDSv2 on AWS and alert on any IMDSv1 access attempts
  • Log and retain full HTTP request bodies at the FastChat reverse proxy for forensic review
  • Baseline normal outbound destinations for FastChat and alert on deviations

How to Mitigate CVE-2024-12376

Immediate Actions Required

  • Restrict network egress from FastChat hosts to only required destinations
  • Enforce AWS IMDSv2 and set the metadata hop limit to 1 to block SSRF-based credential theft
  • Place FastChat behind an authenticated reverse proxy and remove public exposure where feasible
  • Rotate any IAM credentials that may have been retrieved from affected instances

Patch Information

No vendor advisory or patched release is listed in the NVD data for CVE-2024-12376 at the time of publication. Operators should track the Huntr Bug Bounty Report and the upstream lm-sys/fastchat repository for a fix, and apply a validated build once released.

Workarounds

  • Add a URL allowlist in front of FastChat that rejects requests targeting link-local, loopback, and RFC1918 ranges
  • Block outbound connections to 169.254.169.254 at the host firewall or via a network security group
  • Run FastChat with a minimally privileged IAM role that has no sensitive permissions
  • Use a dedicated egress proxy that filters schemes to http/https only and enforces DNS pinning
bash
# Example AWS CLI: enforce IMDSv2 and restrict hop limit to mitigate SSRF credential theft
aws ec2 modify-instance-metadata-options \
  --instance-id i-0123456789abcdef0 \
  --http-tokens required \
  --http-put-response-hop-limit 1 \
  --http-endpoint enabled

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.