Medium

localai

CSRF Vulnerability Allowing Deletion of Installed Models

A Cross-Site Request Forgery (CSRF) vulnerability in LocalAI versions up to and including 2.15.0 allows attackers to trick victims into deleting installed models. The vulnerability was demonstrated using a proof of concept (PoC) where a victim's interaction with a malicious webpage results in the deletion of the model `gpt-4-vision-preview`. The specific patch version that addresses this vulnerability is not mentioned, indicating the need for users to update to a version later than 2.15.0.

Available publicly on Jul 06 2024

4.3

CVE:

CVE-2024-5616

CWE:

352:Cross-Site Request Forgery (CSRF)

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

Credit:

h2oa
AssessDetect

Unavailable

Remediate
Remediation Steps
  • Update LocalAI to a version later than 2.15.0.
  • Implement CSRF tokens in the application to validate user requests.
  • Educate users on the risks of phishing and social engineering attacks.
  • Regularly audit and test the application for security vulnerabilities.
Patch Details
  • Fixed Version: N/A
  • Patch Commit: N/A
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.