Moderate severityNVD Advisory· Published Apr 1, 2024· Updated Aug 1, 2024

Cross-Site Request Forgery (CSRF) Vulnerability in mudler/localai

CVE-2024-3135

Description

A Cross-Site Request Forgery (CSRF) vulnerability exists in the mudler/localai application, allowing attackers to craft malicious webpages that, when visited by a victim, perform unauthorized actions on the victim's local LocalAI instance without their consent. This vulnerability enables attackers to exhaust system resources, consume credits, and fill disk space by making numerous resource-intensive API calls, such as generating images or uploading files. The vulnerability stems from the application's acceptance of simple request content-types without requiring CSRF tokens or implementing other CSRF mitigation measures. Successful exploitation does not require network access to the vulnerable LocalAI environment.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/go-skynet/LocalAIGo	<= 2.7.0	—

Affected products

Mudler/Mudler/localaiv5
Range: unspecified

Patches

2f297979a7c8

https://github.com/mudler/localaivia osv

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-jhvf-7c85-3c9gghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-3135ghsaADVISORY
huntr.com/bounties/7afdc4d3-4b68-45ea-96d0-cf9ed3712ae8ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000