CVE-2024-3135

NONE EPSS 21.3%
Published Apr 1, 20242y ago · Modified Jun 17, 20261w ago
Find Similar
Published Apr 1, 2024 2y ago
Last Modified Jun 17, 2026 1w ago

Description

A Cross-Site Request Forgery (CSRF) vulnerability exists in the mudler/localai application, allowing attackers to craft malicious webpages that, when visited by a victim, perform unauthorized actions on the victim's local LocalAI instance without their consent. This vulnerability enables attackers to exhaust system resources, consume credits, and fill disk space by making numerous resource-intensive API calls, such as generating images or uploading files. The vulnerability stems from the application's acceptance of simple request content-types without requiring CSRF tokens or implementing other CSRF mitigation measures. Successful exploitation does not require network access to the vulnerable LocalAI environment.

Threat Intelligence

EPSS Exploit Probability
21.3% percentile
Exploit & Patch Status
Public Exploit Known
No Patch Available

Weaknesses 1

CWE-352 Cross-Site Request Forgery (CSRF) Authentication

Affected Products 1

VendorProductVersionRange
mudlerlocalai* <2.17.0

References 1

  • huntr.com https://huntr.com/bounties/7afdc4d3-4b68-45ea-96d0-cf9ed3712ae8
    ExploitThird Party Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.