CVE-2024-12070

High CVSS: 7.5

A Denial of Service (DoS) vulnerability exists in the file upload feature of haotian-liu/llava, specifically in Release v1.2.0 (LLaVA-1.6). The vulnerability is due to improper handling of form-data with a large filename in the file upload request. By sending a payload with an excessively large filename, the server becomes overwhelmed and unresponsive, leading to unavailability for legitimate users. This issue can be exploited without authentication, making it highly scalable and increasing the risk of exploitation.

Vendor

Hliu

Product

Large Language And Vision Assistant

CWE

CWE-400

Yayın Tarihi

2025-03-20 10:15:27

Güncelleme

2025-07-14 17:45:20

Source Identifier

security@huntr.dev

KEV Date Added

Kategoriler

CWE-400 Large Language And Vision Assistant HIGH Hliu 2025

Referanslar

https://huntr.com/bounties/8adac028-21c5-41ba-b785-b03066c0b2a6 https://huntr.com/bounties/8adac028-21c5-41ba-b785-b03066c0b2a6

Benzer Kayıtlar

Medium

CVE-2024-9308

An open redirect vulnerability in haotian-liu/llava version v1.2.0 (LLaVA-1.6) allows a remote unauthenticated attacker…

Critical

CVE-2024-9309

A Server-Side Request Forgery (SSRF) vulnerability exists in the POST /worker_generate_stream API endpoint of the Contro…

Medium

CVE-2024-9311

A Cross-Site Request Forgery (CSRF) vulnerability in haotian-liu/llava v1.2.0 (LLaVA-1.6) allows an attacker to upload f…

High

CVE-2024-12068

A Server-Side Request Forgery (SSRF) vulnerability was discovered in haotian-liu/llava, affecting version git c121f04. T…

High

CVE-2024-12065

A local file inclusion vulnerability exists in haotian-liu/llava at commit c121f04. This vulnerability allows an attacke…

High

CVE-2024-11449

A vulnerability in haotian-liu/llava version 1.2.0 (LLaVA-1.6) allows for Server-Side Request Forgery (SSRF) through the…