CVE-2024-11603: FastChat Server-Side Request Forgery vulnerability

March 20, 2025 (updated March 21, 2025)

A Server-Side Request Forgery (SSRF) vulnerability exists in lm-sys/fastchat version 0.2.36. The vulnerability is present in the /queue/join? endpoint, where insufficient validation of the path parameter allows an attacker to send crafted requests. This can lead to unauthorized access to internal networks or the AWS metadata endpoint, potentially exposing sensitive data and compromising internal servers.

References

github.com/advisories/GHSA-h254-g997-685c
github.com/lm-sys/FastChat
huntr.com/bounties/89f1158d-4a75-4000-a1bd-f82dd1a62bff
nvd.nist.gov/vuln/detail/CVE-2024-11603

Code Behaviors & Features

Detect and mitigate CVE-2024-11603 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →