We use cookies to improve your experience on our site.
AVID-2026-R1382
Description
Server-Side Request Forgery in haotian-liu/llava (CVE-2024-12068)
Details
A Server-Side Request Forgery (SSRF) vulnerability was discovered in haotian-liu/llava, affecting version git c121f04. This vulnerability allows an attacker to make the server perform HTTP requests to arbitrary URLs, potentially accessing sensitive data that is only accessible from the server, such as AWS metadata credentials.
Reason for inclusion in AVID: CVE-2024-12068 describes a Server-Side Request Forgery vulnerability in the haotian-liu/llava project, an AI model/serving stack. The vulnerability enables the server to make HTTP requests to arbitrary URLs, potentially exposing internal data (e.g., AWS metadata). This is a software vulnerability affecting a component used to deploy/run AI systems, representing a software supply-chain risk for general-purpose AI pipelines. Hardware/firmware-only issues are not applicable here. The report provides clear CVE details and impact signals.
References
Affected or Relevant Artifacts
- Developer: haotian-liu
- Deployer: haotian-liu
- Artifact Details:
| Type | Name |
|---|---|
| System | haotian-liu/llava |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.0 |
| Vector String | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| Base Score | 7.5 |
| Base Severity | 🔴 High |
| Attack Vector | NETWORK |
| Attack Complexity | 🟢 Low |
| Privileges Required | NONE |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | 🔴 High |
| Integrity Impact | NONE |
| Availability Impact | NONE |
CWE
| ID | Description |
|---|---|
| CWE-918 | CWE-918 Server-Side Request Forgery (SSRF) |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2025-03-20
- Version: 0.3.3
- AVID Entry