CVE-2024-12376 – fschat

Package

Manager: pip
Name: fschat
Vulnerable Version: >=0 <=0.2.36

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00047 pctl0.13939

Details

FastChat Server-Side Request Forgery vulnerability A Server-Side Request Forgery (SSRF) vulnerability was identified in the lm-sys/fastchat web server, specifically in the affected version git 2c68a13. This vulnerability allows an attacker to access internal server resources and data that are otherwise inaccessible, such as AWS metadata credentials.

Metadata

Created: 2025-03-20T12:32:43Z
Modified: 2025-03-21T16:41:12Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-g44m-hpf4-vmrp/GHSA-g44m-hpf4-vmrp.json
CWE IDs: ["CWE-918"]
Alternative ID: GHSA-g44m-hpf4-vmrp
Finding: F100
Auto approve: 1