CVE-2024-9309: SSRF in POST /worker_generate_stream API endpoint in haotian-liu/llava

9.3 CVSS

Description

A Server-Side Request Forgery (SSRF) vulnerability exists in the POST /worker_generate_stream API endpoint of the Controller API Server in haotian-liu/llava version v1.2.0 (LLaVA-1.6). This vulnerability allows attackers to exploit the victim Controller API Server's credentials to perform unauthorized web actions or access unauthorized web resources.

Classification

CVE ID: CVE-2024-9309

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.3

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

Problem Types

CWE-918 Server-Side Request Forgery (SSRF)

Affected Products

Vendor: haotian-liu

Product: haotian-liu/llava

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 11.24% (scored less or equal to compared to others)

EPSS Date: 2025-04-18 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2024-9309
https://huntr.com/bounties/2ba6be79-5c90-48fa-99cb-82503ea49a12

Timeline

2025-03-20 11:40:49 UTC
CVE

SSRF in POST /worker_generate_stream API endpoint in haotian-liu/llava