Miggo Logo
Miggo Vulnerability Database
CVE-2024-3135

CVE-2024-3135: LocalAI cross-site request forgery vulnerability

6.5

CVSS Score
3.0

Basic Information

CVE ID
CVE-2024-3135
GHSA ID
GHSA-jhvf-7c85-3c9g
EPSS Score
0.26328%
CWE
CWE-352
Published
4/1/2024
Updated
4/16/2024
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/go-skynet/LocalAIgo<= 2.7.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing CSRF protections on state-changing API endpoints. While specific function names aren't provided in the advisory, the core issue exists in HTTP handlers that process: 1) POST requests, 2) with simple content-types, 3) for resource-intensive operations (explicitly mentioned: image generation and file uploads). These characteristics align with typical API handler functions in Go web applications. The high confidence comes from the direct match between described attack vectors (malicious form submissions exhausting resources) and the required handler functionality to implement those API endpoints.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *ross-Sit* R*qu*st *or**ry (*SR*) vuln*r**ility *xists in t** mu*l*r/lo**l*i *ppli**tion, *llowin* *tt**k*rs to *r**t m*li*ious w**p***s t**t, w**n visit** *y * vi*tim, p*r*orm un*ut*oriz** **tions on t** vi*tim's lo**l Lo**l*I inst*n** wit*out t**

Reasoning

T** vuln*r**ility st*ms *rom missin* *SR* prot**tions on st*t*-***n*in* *PI *n*points. W*il* sp**i*i* *un*tion n*m*s *r*n't provi*** in t** **visory, t** *or* issu* *xists in *TTP **n*l*rs t**t `pro**ss`: *) POST r*qu*sts, *) wit* simpl* *ont*nt-typ*