haotian-liu llava Server-Side Request Forgery Vulnerability in /run/predict Endpoint

Vulnerability

A Server-Side Request Forgery (SSRF) vulnerability has been identified in haotian-liu/llava version 1.2.0 (LLaVA-1.6). The issue arises in the /run/predict endpoint, where insufficient validation of the path parameter allows attackers to send crafted requests that access internal networks or the AWS metadata endpoint. This vulnerability could lead to unauthorized network access, exposure of sensitive data, and further exploitation within the network.

Impact

Exploitation of this vulnerability could result in unauthorized access to internal networks or the AWS metadata endpoint, allowing attackers to expose sensitive data and potentially exploit other vulnerabilities within the network.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.8

exploitability

7.4

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.8

exploitability

7.4

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

haotian-liu llava Server-Side Request Forgery Vulnerability in /run/predict Endpoint

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating