CVE-2024-11603 Information

Description

A Server-Side Request Forgery (SSRF) vulnerability exists in lm-sys/fastchat version 0.2.36. The vulnerability is present in the /queue/join? endpoint where insufficient validation of the path parameter allows an attacker to send crafted requests. This can lead to unauthorized access to internal networks or the AWS metadata endpoint potentially exposing sensitive data and compromising internal servers.

Reference

https://huntr.com/bounties/89f1158d-4a75-4000-a1bd-f82dd1a62bff