Cyber Resilience

CVE-2024-6095

MediumPublic PoC

Published: 06 July 2024

Published
06 July 2024
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 5.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
EPSS Score 0.8638 99.4th percentile
Risk Priority 63 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-6095 is a medium-severity SSRF (CWE-918) vulnerability in Mudler Localai. Its CVSS base score is 5.8 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 0.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as APIs and Models; in the Other ATLAS/OWASP Terms risk domain; MITRE ATLAS techniques in scope: Phishing (AML.T0052), Exploit Public-Facing Application (AML.T0049), Exfiltration via Cyber Means (AML.T0025).

Deeper analysis

A vulnerability in the /models/apply endpoint of mudler/localai versions 2.15.0 permits Server-Side Request Forgery (SSRF) and partial Local File Inclusion (LFI). The endpoint accepts both http(s):// and file:// schemes, with the latter enabling limited file reads through error messages whose length constrains output. The flaw is tracked as CWE-918 and carries a CVSS 3.1 score of 5.8.

An attacker with network access to the LocalAI instance can supply crafted URLs to reach internal HTTP or HTTPS services and to read portions of local files. Successful exploitation yields unauthorized disclosure of internal resources without requiring authentication or user interaction.

The issue is resolved in LocalAI version 2.17. Public references point to commits that restrict scheme handling on the affected endpoint and to the corresponding Huntr disclosure that documents the original report and fix.

The EPSS score has reached a peak of 0.8921 with a current value of 0.8638, indicating sustained exploitation interest following disclosure.

EU & UK References

Vulnerability details

A vulnerability in the /models/apply endpoint of mudler/localai versions 2.15.0 allows for Server-Side Request Forgery (SSRF) and partial Local File Inclusion (LFI). The endpoint supports both http(s):// and file:// schemes, where the latter can lead to LFI. However, the output…

more

is limited due to the length of the error message. This vulnerability can be exploited by an attacker with network access to the LocalAI instance, potentially allowing unauthorized access to internal HTTP(s) servers and partial reading of local files. The issue is fixed in version 2.17.

CWE(s)

AI Security AnalysisAI

AI Category
APIs and Models
Risk Domain
Other ATLAS/OWASP Terms
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
LocalAI is an open-source platform providing OpenAI-compatible REST APIs for local inference of AI models (LLMs, etc.), and the vulnerability is in the /models/apply endpoint used for model loading/application.

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The SSRF and LFI vulnerability in the public-facing /models/apply endpoint enables exploitation of public-facing applications (T1190). Partial LFI via file:// scheme facilitates reading content from local files (T1005).

MITRE ATLAS TechniquesAI

MITRE ATLAS techniques

AML.T0052: PhishingAML.T0049: Exploit Public-Facing ApplicationAML.T0025: Exfiltration via Cyber MeansAML.T0026AML.T0016: Obtain Capabilities

Affected Assets

mudler
localai
≤ 2.17.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-918

Penetration testing attempts server-side requests to internal resources, identifying SSRF weaknesses for remediation.

addresses: CWE-918

Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact.

addresses: CWE-918

Validates server-side URLs and resource references to block SSRF attempts.

addresses: CWE-918

Detects server-side request forgery through monitoring of unexpected outbound connections.

References