CVE-2024-12070 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2024-12070?

CVE-2024-12070 has a CVSS score of 7.5 (HIGH). This vulnerability allows unauthenticated attackers to cause denial of service by sending file upload requests with excessively large filenames to the LLaVA-1.6 server. The server becomes overwhelmed and unresponsive, making it unavailable to legitimate users. Anyone running haotian-liu/llava v1.2.0 (LLaVA-1.6) is affected.

📋 TL;DR

This vulnerability allows unauthenticated attackers to cause denial of service by sending file upload requests with excessively large filenames to the LLaVA-1.6 server. The server becomes overwhelmed and unresponsive, making it unavailable to legitimate users. Anyone running haotian-liu/llava v1.2.0 (LLaVA-1.6) is affected.

💻 Affected Systems

Products:

haotian-liu/llava

Versions: v1.2.0 (LLaVA-1.6)

Operating Systems: All operating systems running the affected software

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability affects the file upload feature specifically. Any deployment using the default configuration is vulnerable.

📦 What is this software?

Large Language And Vision Assistant by Hliu

View all CVEs affecting Large Language And Vision Assistant →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage with the server becoming completely unresponsive, requiring manual intervention to restore service.

🟠

Likely Case

Temporary service degradation or outage affecting all users until the malicious requests stop or the server is restarted.

🟢

If Mitigated

Minimal impact with proper input validation and rate limiting in place.

🌐 Internet-Facing: HIGH - The vulnerability is unauthenticated and can be exploited remotely, making internet-facing instances particularly vulnerable.

🏢 Internal Only: MEDIUM - Internal instances are still vulnerable but have reduced attack surface compared to internet-facing deployments.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted HTTP requests with large filenames in form-data. No authentication is required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after v1.2.0

Vendor Advisory: https://huntr.com/bounties/8adac028-21c5-41ba-b785-b03066c0b2a6

Restart Required: No

Instructions:

1. Update to the latest version of haotian-liu/llava. 2. Verify the fix by checking that filename length validation is implemented in the file upload handler.

🔧 Temporary Workarounds

Implement filename length validation

all

Add server-side validation to reject file uploads with filenames exceeding a reasonable length (e.g., 255 characters).

Implement rate limiting

all

Add rate limiting to the file upload endpoint to prevent mass exploitation attempts.

🧯 If You Can't Patch

Implement a web application firewall (WAF) with rules to block requests containing excessively long filenames.
Disable the file upload feature entirely if not required for your use case.

🔍 How to Verify

Check if Vulnerable:

Test by sending a file upload request with a filename exceeding 1000 characters and observing if the server becomes unresponsive.

Check Version:

Check the software version in your deployment configuration or via the application's version endpoint if available.

Verify Fix Applied:

After patching, attempt the same test with a large filename - the request should be rejected with an appropriate error message.

📡 Detection & Monitoring

Log Indicators:

Multiple failed file upload attempts with unusually long filenames
Server error logs showing memory exhaustion or timeout errors

Network Indicators:

High volume of POST requests to the file upload endpoint
Requests with Content-Type: multipart/form-data containing extremely long filenames

SIEM Query:

source="web_server" AND (uri="/upload" OR uri="/file-upload") AND filename_length > 1000

📊 Metadata

CVE ID: CVE-2024-12070

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

EPSS Score: 0.35% exploit probability (56.6th percentile)

Published: March 20, 2025

Last Updated: July 14, 2025

🔗 References

https://huntr.com/bounties/8adac028-21c5-41ba-b785-b03066c0b2a6 Exploit,Third Party Advisory
https://huntr.com/bounties/8adac028-21c5-41ba-b785-b03066c0b2a6 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-12070, you might also want to check these: