VYPR
Unrated severityNVD Advisory· Published Mar 20, 2025· Updated Mar 20, 2025

SSRF in parisneo/lollms-webui

CVE-2024-12766

Description

parisneo/lollms-webui version V13 (feather) suffers from a Server-Side Request Forgery (SSRF) vulnerability in the POST /api/proxy REST API. Attackers can exploit this vulnerability to abuse the victim server's credentials to access unauthorized web resources by specifying the JSON parameter {"url":"http://steal.target"}. Existing security mechanisms such as forbid_remote_access(lollmsElfServer), lollmsElfServer.config.headless_server_mode, and check_access(lollmsElfServer, request.client_id) do not protect against this vulnerability.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Lollms/Lollmsllm-fuzzy2 versions
    V13 (feather)+ 1 more
    • (no CPE)range: V13 (feather)
    • (no CPE)range: unspecified

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.