We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
Assigner | @huntr_ai |
Reserved | 2024-06-04 |
Published | 2024-07-06 |
Updated | 2024-08-01 |
A Cross-Site Request Forgery (CSRF) vulnerability exists in mudler/LocalAI versions up to and including 2.15.0, which allows attackers to trick victims into deleting installed models. By crafting a malicious HTML page, an attacker can cause the deletion of a model, such as 'gpt-4-vision-preview', without the victim's consent. The vulnerability is due to insufficient CSRF protection mechanisms on the model deletion functionality.
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L |
CWE-352 Cross-Site Request Forgery (CSRF)
https://huntr.com/bounties/fd753fb6-ba04-4dd8-abef-918fb97120af
https://github.com/mudler/localai/commit/4e1463fec291612a59a16db60b3fd12d4c49d64b