Unrated severityNVD Advisory· Published Mar 20, 2025· Updated Mar 20, 2025
SSRF in parisneo/lollms-webui
CVE-2024-12766
Description
parisneo/lollms-webui version V13 (feather) suffers from a Server-Side Request Forgery (SSRF) vulnerability in the POST /api/proxy REST API. Attackers can exploit this vulnerability to abuse the victim server's credentials to access unauthorized web resources by specifying the JSON parameter {"url":"http://steal.target"}. Existing security mechanisms such as forbid_remote_access(lollmsElfServer), lollmsElfServer.config.headless_server_mode, and check_access(lollmsElfServer, request.client_id) do not protect against this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
References
1News mentions
0No linked articles in our index yet.