CVE-2024-11603

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-11603

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-11603.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-11603

Aliases

GHSA-h254-g997-685c

Published

2025-03-20T10:15:25.450Z

Modified

2026-04-10T05:08:19.146765Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

A Server-Side Request Forgery (SSRF) vulnerability exists in lm-sys/fastchat version 0.2.36. The vulnerability is present in the /queue/join? endpoint, where insufficient validation of the path parameter allows an attacker to send crafted requests. This can lead to unauthorized access to internal networks or the AWS metadata endpoint, potentially exposing sensitive data and compromising internal servers.

References

https://huntr.com/bounties/89f1158d-4a75-4000-a1bd-f82dd1a62bff

Affected packages

Git /

Affected ranges

Database specific

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "0.2.36"
            }
        ]
    }
]

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-11603.json"