SSRF and Partial LFI in /models/apply Endpoint
The vulnerability in the /models/apply endpoint of LocalAI version 2.15.0 allows for SSRF and partial LFI attacks. It was patched in version 2.17.
Available publicly on Jul 06 2024 | Available with Premium on Jun 17 2024
Threat Overview
The /models/apply endpoint in LocalAI version 2.15.0 is vulnerable to Server-Side Request Forgery (SSRF) and Local File Inclusion (LFI). The endpoint accepts both http(s):// and file:// schemes, which can be exploited by an attacker with network access. The SSRF vulnerability allows an attacker to make arbitrary HTTP requests to internal servers, potentially exposing sensitive information. The LFI vulnerability allows for limited reading of local files due to the length of the error message.
Attack Scenario
An attacker with network access to the LocalAI instance can exploit the SSRF vulnerability by sending a request to the /models/apply endpoint with a crafted URL parameter. This allows the attacker to scan internal ports and potentially access internal services. Additionally, the attacker can exploit the LFI vulnerability by sending a request with a file:// URL to read local files, although the output is limited.
Who is affected
Users running LocalAI version 2.15.0 or earlier without proper network segmentation or additional authentication mechanisms are affected by this vulnerability.
Technical Report
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.