Horizon Alert
Summary of the vulnerability and why it matters
A vulnerability has been identified in LocalAI, a technology that provides AI model endpoints, allowing unauthorized access to internal network resources. This issue could permit external actors to interact with your private systems by leveraging a flaw in how the application handles model requests. The primary concern is to confirm if this technology is in use and if it is exposed to the internet.
- Unauthorized access to internal network resources.
- Critical vulnerability affects AI model endpoint technology.
- Confirm relevance and exposure for potential risk.
Attack Path
How an attacker could exploit the issue
An attacker can initiate a server-side request forgery by sending a specially crafted request to the `/models/apply` endpoint. This endpoint is exposed publicly and does not require authentication. The vulnerability stems from the direct use of unsanitized input from the `gallery URL` field, which the system then uses without proper validation to fetch configurations from arbitrary URLs. This can cause the server to make unintended HTTP requests to internal or loopback network addresses, potentially revealing partial error messages containing sensitive information.
- No authentication needed to access.
- Triggered by submitting a malformed URL.
- Allows fetching arbitrary internal URLs.
Live Threat
Current exploitation, exposure, and threat context
This vulnerability could allow an unauthenticated attacker to trick the LocalAI server into making requests to arbitrary internal URLs. When supported by the advisory, this could expose system data by leaking partial response content through error messages when attempting to access private or loopback network ranges.
- System URLs could be fetched.
- Server issues HTTP GET requests.
- Partial content may be leaked.
Operational Fix
Recommended remediation, mitigation, and detection steps
The LocalAI application's unauthenticated server-side request forgery vulnerability requires immediate attention from teams managing AI infrastructure and security. The first step is to identify all LocalAI instances, determine their exposure, and confirm if they are business-critical or directly reachable from external networks. Subsequently, the accountable owner must be identified to plan remediation based on the assessed risk.
- Identify LocalAI instances and exposure.
- Confirm business criticality and ownership.
- Plan remediation based on risk.