Login Sign Up

CVE-2024-5616

4.3 MEDIUM
CSRF

📋 TL;DR

A Cross-Site Request Forgery (CSRF) vulnerability in mudler/LocalAI allows attackers to trick authenticated users into deleting installed AI models without their consent. This affects LocalAI versions up to and including 2.15.0. Attackers can exploit this by luring victims to malicious web pages that trigger unauthorized model deletion requests.

💻 Affected Systems

Products:
  • mudler/LocalAI
Versions: Up to and including 2.15.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects instances with web interface accessible and models installed. Requires victim to be authenticated.

📦 What is this software?

Localai by Mudler

View all CVEs affecting Localai →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Critical AI models like 'gpt-4-vision-preview' are deleted, disrupting AI services and requiring time-consuming re-downloads and reconfiguration.

🟠

Likely Case

Attackers delete commonly used models, causing service disruption until models are restored from backups or re-downloaded.

🟢

If Mitigated

With proper CSRF protections, no unauthorized model deletions occur, maintaining service availability.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires victim authentication and visiting malicious page. Proof-of-concept available in references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 2.15.0

Vendor Advisory: https://github.com/mudler/localai/commit/4e1463fec291612a59a16db60b3fd12d4c49d64b

Restart Required: Yes

Instructions:

1. Update LocalAI to version after 2.15.0. 2. Restart the LocalAI service. 3. Verify CSRF tokens are now required for model deletion requests.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict access to LocalAI web interface to trusted networks only

Configure firewall rules to limit access to LocalAI port (default 8080)

Reverse Proxy with CSRF Protection

linux

Place LocalAI behind a reverse proxy that adds CSRF protection

Configure nginx/apache with CSRF token validation

🧯 If You Can't Patch

  • Implement strict SameSite cookie policies for authentication
  • Use browser extensions that block CSRF attempts

🔍 How to Verify

Check if Vulnerable:

Check LocalAI version: if ≤2.15.0 and web interface accessible, likely vulnerable

Check Version:

Check LocalAI logs or API endpoint for version information

Verify Fix Applied:

Test model deletion endpoint requires CSRF token after update

📡 Detection & Monitoring

Log Indicators:

  • Unexpected model deletion events
  • DELETE requests to /models/ endpoint without CSRF tokens

Network Indicators:

  • Multiple DELETE requests from unexpected sources
  • Requests with missing CSRF headers

SIEM Query:

source="localai" AND (event="model_deleted" OR method="DELETE") AND NOT csrf_token=*

📊 Metadata

CVE ID: CVE-2024-5616
CVSS v3 Score: 4.3 (MEDIUM)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
CWE: CWE-352
Published: July 6, 2024
Last Updated: July 15, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-5616, you might also want to check these:

CVE-2025-23922 10.0

A Cross-Site Request Forgery (CSRF) vulnerability in the Harsh iSpring Embedder WordPress plugin all...

Same vulnerability type (CWE-352)
CVE-2020-23426 9.8

CVE-2020-23426 is a privilege escalation vulnerability in zzcms 201910 that allows attackers to gain...

Same vulnerability type (CWE-352)
CVE-2024-33449 9.8

This SSRF vulnerability in PDFMyURL allows attackers to make the service send requests to internal s...

Same vulnerability type (CWE-352)