haotian-liu llava Server-Side Request Forgery Vulnerability in Controller API Server

Vulnerability

A Server-Side Request Forgery (SSRF) vulnerability has been identified in the POST /worker_generate_stream API endpoint of the Controller API Server, specifically in haotian-liu/llava version v1.2.0 (LLaVA-1.6). This vulnerability allows attackers to misuse the Controller API Server's credentials to perform unauthorized web actions or access restricted web resources.

Impact

Exploitation of this vulnerability could lead to unauthorized access to web resources or the ability to perform actions on behalf of the victim's Controller API Server.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

5.2

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

5.2

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

haotian-liu llava Server-Side Request Forgery Vulnerability in Controller API Server

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating