CVE-2024-3135 – github.com/go-skynet/localai

Package

Manager: go
Name: github.com/go-skynet/localai
Vulnerable Version: >=0 <=2.7.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00086 pctl0.25729

Details

LocalAI cross-site request forgery vulnerability A Cross-Site Request Forgery (CSRF) vulnerability exists in the mudler/localai application, allowing attackers to craft malicious webpages that, when visited by a victim, perform unauthorized actions on the victim's local LocalAI instance without their consent. This vulnerability enables attackers to exhaust system resources, consume credits, and fill disk space by making numerous resource-intensive API calls, such as generating images or uploading files. The vulnerability stems from the application's acceptance of simple request content-types without requiring CSRF tokens or implementing other CSRF mitigation measures. Successful exploitation does not require network access to the vulnerable LocalAI environment.

Metadata

Created: 2024-04-01T21:30:46Z
Modified: 2024-04-16T15:49:36Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-jhvf-7c85-3c9g/GHSA-jhvf-7c85-3c9g.json
CWE IDs: ["CWE-352"]
Alternative ID: GHSA-jhvf-7c85-3c9g
Finding: F007
Auto approve: 1