parisneo lollms-webui Server-Side Request Forgery Vulnerability

Vulnerability

A Server-Side Request Forgery (SSRF) vulnerability has been identified in parisneo/lollms-webui version V13 (feather). The issue arises in the `POST /api/proxy` REST API, where attackers can exploit the vulnerability to misuse the victim server's credentials to access unauthorized web resources. This is achieved by specifying a JSON parameter with a URL targeting the desired resource. Notably, existing security measures do not mitigate this vulnerability.

Impact

Exploitation of this vulnerability allows for Server-Side Request Forgery, enabling attackers to access internal resources or external services on behalf of the server.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.3

impact

3.3

exploitability

9.1

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.3

impact

3.3

exploitability

9.1

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

parisneo lollms-webui Server-Side Request Forgery Vulnerability

Vulnerability

Impact

Affected Products

parisneo/lollms-webui

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating