CVE-2024-12070: Denial of Service in haotian-liu/llava
Description
A Denial of Service (DoS) vulnerability exists in the file upload feature of haotian-liu/llava, specifically in Release v1.2.0 (LLaVA-1.6). The vulnerability is due to improper handling of form-data with a large filename in the file upload request. By sending a payload with an excessively large filename, the server becomes overwhelmed and unresponsive, leading to unavailability for legitimate users. This issue can be exploited without authentication, making it highly scalable and increasing the risk of exploitation.
Classification
CVE ID: CVE-2024-12070
CVSS Base Severity: HIGH
CVSS Base Score: 7.5
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Problem Types
CWE-400 Uncontrolled Resource ConsumptionAffected Products
Vendor: haotian-liu
Product: haotian-liu/llava
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.12% (probability of being exploited)
EPSS Percentile: 31.85% (scored less or equal to compared to others)
EPSS Date: 2025-04-18 (when was this score calculated)
References
https://nvd.nist.gov/vuln/detail/CVE-2024-12070https://huntr.com/bounties/8adac028-21c5-41ba-b785-b03066c0b2a6