Medium

localai

Resource, Credit, and Disk Space Exhaustion via CSRF

detail - A Cross-Site Request Forgery (CSRF) vulnerability in LocalAI version 2.7.0 allows attackers to craft malicious webpages that, when visited by a victim, make unauthorized API calls to the victim's LocalAI instance. This can lead to resource exhaustion, credit depletion, and disk space filling. The vulnerability is structural, lacking CSRF tokens or mitigations, and was not specified as patched in the provided information.

Available publicly on Apr 01 2024

6.5

CVE:

CVE-2024-3135

CWE:

352:Cross-Site Request Forgery (CSRF)

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Credit:

pinkdraconian
AssessDetect

Unavailable

Remediate
Remediation Steps
  • Ensure that all forms in the application require CSRF tokens to be present in requests.
  • Implement other CSRF mitigations such as SameSite cookies.
  • Update LocalAI to a version that includes CSRF protections.
  • Educate users about the risks of visiting unknown websites and clicking on suspicious links.
Patch Details
  • Fixed Version: N/A
  • Patch Commit: N/A
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.