CVE-2024-11449
📋 TL;DR
This vulnerability in haotian-liu/llava version 1.2.0 allows attackers to perform Server-Side Request Forgery (SSRF) through the /run/predict endpoint. Attackers can exploit insufficient path parameter validation to access internal networks or AWS metadata endpoints, potentially exposing sensitive data. Organizations running LLaVA-1.6 with the vulnerable endpoint exposed are affected.
💻 Affected Systems
- haotian-liu/llava
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of internal network resources, AWS credential theft leading to cloud account takeover, and lateral movement to critical systems.
Likely Case
Unauthorized access to internal services, exposure of sensitive metadata, and potential data exfiltration from accessible endpoints.
If Mitigated
Limited to attempted exploitation attempts that are blocked by network controls, with no successful data access.
🎯 Exploit Status
Exploitation requires crafting specific HTTP requests to the vulnerable endpoint. No authentication bypass is needed if endpoint is publicly accessible.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 1.2.0
Vendor Advisory: https://huntr.com/bounties/e96aba28-d564-4ecb-ab77-350511d2e1ee
Restart Required: No
Instructions:
1. Update to the latest version of haotian-liu/llava. 2. Verify the /run/predict endpoint has proper input validation. 3. Test the fix by attempting SSRF payloads.
🔧 Temporary Workarounds
Network Segmentation
allRestrict access to the /run/predict endpoint using firewall rules or network policies.
Input Validation
allImplement strict validation of path parameters to block SSRF attempts.
🧯 If You Can't Patch
- Implement network-level restrictions to block outbound requests from the vulnerable service
- Deploy a web application firewall (WAF) with SSRF protection rules
🔍 How to Verify
Check if Vulnerable:
Test the /run/predict endpoint with SSRF payloads targeting internal addresses or AWS metadata endpoints.Check Version:
Check the version in package.json or via the application's version endpoint if available.Verify Fix Applied:
Attempt the same SSRF payloads after patching; successful requests should be blocked or return errors.📡 Detection & Monitoring
Log Indicators:
- Unusual requests to /run/predict with internal IPs or metadata URLs
- Outbound connections from the service to unexpected destinations
Network Indicators:
- Traffic from the service to internal network segments or metadata endpoints
SIEM Query:
source="llava" AND (url="/run/predict" AND (url_contains="169.254.169.254" OR url_contains="internal" OR url_contains="localhost"))