LMDeploy Server-Side Request Forgery Vulnerability in Vision-Language Module

A Server-Side Request Forgery (SSRF) vulnerability exists in LMDeploy versions prior to 0.12.3, specifically within the vision-language module. The vulnerability arises because the 'load_image()' function in 'lmdeploy/vl/utils.py' retrieves arbitrary URLs without validating internal or private IP addresses. This oversight allows attackers to access cloud metadata services, internal networks, and sensitive resources. The issue has been patched in version 0.12.3.

Impact

Exploitation of this vulnerability allows for unauthorized access to cloud metadata services, internal networks, and sensitive resources, potentially leading to the theft of cloud credentials and unauthorized access to internal services.

Reproduction

To reproduce this vulnerability, deploy the LMDeploy server with a vision-language model. Then, send a request to the '/v1/chat/completions' endpoint with a malicious 'image_url' that points to a private IP address or cloud metadata service URL. The server will fetch the URL without validation, allowing access to the targeted resource.

Remediation

Users can upgrade to LMDeploy version 0.12.3 or later, where this vulnerability has been patched.