CVE-2024-11045
📋 TL;DR
A Cross-Site WebSocket Hijacking vulnerability in automatic1111/stable-diffusion-webui version 1.10.0 allows attackers to hijack WebSocket connections and perform unauthorized actions on the server. This can lead to malicious extension installation, script execution, data theft, and denial of service. Users running the vulnerable version of this AI image generation web interface are affected.
💻 Affected Systems
- automatic1111/stable-diffusion-webui
📦 What is this software?
Stable Diffusion Webui by Automatic1111
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise allowing arbitrary code execution, data exfiltration, installation of persistent backdoors, and rendering the system unusable.
Likely Case
Unauthorized cloning of malicious extensions leading to script execution, data theft, and potential DoS attacks disrupting the service.
If Mitigated
Limited impact with proper network segmentation and access controls preventing external exploitation.
🎯 Exploit Status
Exploit details are publicly available on huntr.com with proof-of-concept demonstrating the CSWSH attack.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.10.1 or later
Vendor Advisory: https://github.com/AUTOMATIC1111/stable-diffusion-webui/security/advisories
Restart Required: Yes
Instructions:
1. Update to version 1.10.1 or later. 2. Run: git pull. 3. Restart the web UI service.
🔧 Temporary Workarounds
Network Isolation
allRestrict access to the WebSocket endpoint to localhost only
Configure firewall to block external access to port 7860
Use --listen flag with 127.0.0.1 only
WebSocket Origin Validation
allImplement origin validation for WebSocket connections
Modify WebSocket handler to validate Origin headers
Implement CSRF tokens for WebSocket connections
🧯 If You Can't Patch
- Isolate the service on a dedicated network segment with no internet access
- Implement a reverse proxy with WebSocket security controls and origin validation
🔍 How to Verify
Check if Vulnerable:
Check if running version 1.10.0 by examining the web UI interface or checking the installation directory version file.Check Version:
Check web UI interface or run: python launch.py --versionVerify Fix Applied:
Verify version is 1.10.1 or later and test WebSocket connections with invalid origins are rejected.📡 Detection & Monitoring
Log Indicators:
- Unauthorized WebSocket connection attempts
- Unexpected extension installation events
- Suspicious script execution in logs
Network Indicators:
- External connections to ws://127.0.0.1:7860/queue/join
- Unusual WebSocket traffic patterns
- Git clone operations from unknown repositories
SIEM Query:
source="webui.log" AND ("WebSocket hijack" OR "unauthorized connection" OR "malicious extension")