CVE-2024-10044

Summary

CVE-2024-10044 is a Server-Side Request Forgery (SSRF) vulnerability identified in the POST /worker_generate_stream API endpoint of the Controller API Server in lm-sys/fastchat. This issue, which exists in commit e208d5677c6837d590b81cb03847c0b9de100765, allows attackers to exploit the victim's controller API server credentials and perform unauthorized web actions or access unauthorized web resources. By combining this vulnerability with the POST /register_worker endpoint, attackers can potentially gain unauthorized access to the targeted system or steal sensitive information. This vulnerability poses a serious threat to the security of the affected Controller API Server and requires immediate remediation.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.