LLaMA-Factory Server-Side Request Forgery and Local File Inclusion Vulnerability in Chat API

A Server-Side Request Forgery (SSRF) vulnerability has been identified in the chat API of LLaMA-Factory, a tuning library for large language models. This vulnerability, present in versions through 0.9.3, allows authenticated users to manipulate the server into making arbitrary HTTP requests to both internal and external networks. Such actions could expose sensitive internal services, facilitate reconnaissance of the internal network, or interact with third-party services. Additionally, this vulnerability introduces a Local File Inclusion (LFI) risk, enabling users to read arbitrary files from the server's filesystem. The issue resides in the '_process_request' function of 'src/llamafactory/api/chat.py', which processes incoming multimodal content, including images, videos, and audio via URLs. The function inadequately validates or sanitizes URLs before making HTTP GET requests, leaving room for exploitation.

Impact

Exploitation of this vulnerability allows for unauthorized HTTP requests to be made from the server, potentially accessing internal services or external resources. The LFI aspect enables reading of sensitive files from the server's filesystem, such as the passwd file.

Reproduction

To reproduce this vulnerability, send a POST request to the '/v1/chat/completions' endpoint with a JSON payload that includes a URL pointing to an internal or controlled external service. The server will then make a request to the specified URL, exploiting the SSRF vulnerability. For the LFI vulnerability, include a local file path in the payload instead.

Remediation

Users can update to LLaMA-Factory version 0.9.4 or later, where this vulnerability has been patched.