Description

A Cross-Site Request Forgery (CSRF) vulnerability exists in the mudler/localai application, allowing attackers to craft malicious webpages that, when visited by a victim, perform unauthorized actions on the victim's local LocalAI instance without their consent. This vulnerability enables attackers to exhaust system resources, consume credits, and fill disk space by making numerous resource-intensive API calls, such as generating images or uploading files. The vulnerability stems from the application's acceptance of simple request content-types without requiring CSRF tokens or implementing other CSRF mitigation measures. Successful exploitation does not require network access to the vulnerable LocalAI environment.

INFO

Published Date :

2024-04-01T18:45:07.253Z

Last Modified :

2024-08-01T19:32:42.865Z

Source :

@huntr_ai
AFFECTED PRODUCTS

The following products are affected by CVE-2024-3135 vulnerability.

Vendors Products
Mudler
  • Localai
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-3135.

URL Resource
https://huntr.com/bounties/7afdc4d3-4b68-45ea-96d0-cf9ed3712ae8 cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact