CVE-2024-6095
Published: 06 July 2024
Summary
CVE-2024-6095 is a medium-severity SSRF (CWE-918) vulnerability in Mudler Localai. Its CVSS base score is 5.8 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 0.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as APIs and Models; in the Other ATLAS/OWASP Terms risk domain; MITRE ATLAS techniques in scope: Phishing (AML.T0052), Exploit Public-Facing Application (AML.T0049), Exfiltration via Cyber Means (AML.T0025).
Deeper analysis
A vulnerability in the /models/apply endpoint of mudler/localai versions 2.15.0 permits Server-Side Request Forgery (SSRF) and partial Local File Inclusion (LFI). The endpoint accepts both http(s):// and file:// schemes, with the latter enabling limited file reads through error messages whose length constrains output. The flaw is tracked as CWE-918 and carries a CVSS 3.1 score of 5.8.
An attacker with network access to the LocalAI instance can supply crafted URLs to reach internal HTTP or HTTPS services and to read portions of local files. Successful exploitation yields unauthorized disclosure of internal resources without requiring authentication or user interaction.
The issue is resolved in LocalAI version 2.17. Public references point to commits that restrict scheme handling on the affected endpoint and to the corresponding Huntr disclosure that documents the original report and fix.
The EPSS score has reached a peak of 0.8921 with a current value of 0.8638, indicating sustained exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-47247
Vulnerability details
A vulnerability in the /models/apply endpoint of mudler/localai versions 2.15.0 allows for Server-Side Request Forgery (SSRF) and partial Local File Inclusion (LFI). The endpoint supports both http(s):// and file:// schemes, where the latter can lead to LFI. However, the output…
more
is limited due to the length of the error message. This vulnerability can be exploited by an attacker with network access to the LocalAI instance, potentially allowing unauthorized access to internal HTTP(s) servers and partial reading of local files. The issue is fixed in version 2.17.
- CWE(s)
AI Security AnalysisAI
- AI Category
- APIs and Models
- Risk Domain
- Other ATLAS/OWASP Terms
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- LocalAI is an open-source platform providing OpenAI-compatible REST APIs for local inference of AI models (LLMs, etc.), and the vulnerability is in the /models/apply endpoint used for model loading/application.
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The SSRF and LFI vulnerability in the public-facing /models/apply endpoint enables exploitation of public-facing applications (T1190). Partial LFI via file:// scheme facilitates reading content from local files (T1005).
MITRE ATLAS TechniquesAI
MITRE ATLAS techniques
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing attempts server-side requests to internal resources, identifying SSRF weaknesses for remediation.
Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact.
Validates server-side URLs and resource references to block SSRF attempts.
Detects server-side request forgery through monitoring of unexpected outbound connections.