<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>LMDeploy - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/lmdeploy/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 02 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/lmdeploy/feed.xml" rel="self" type="application/rss+xml"/><item><title>LMDeploy Vision-Language Module SSRF Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2024-01-lmdeploy-ssrf/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-lmdeploy-ssrf/</guid><description>A server-side request forgery (SSRF) vulnerability exists in LMDeploy's vision-language module, allowing attackers to access cloud metadata services and internal networks by exploiting the lack of URL validation in the `load_image()` function.</description><content:encoded><![CDATA[<p>A Server-Side Request Forgery (SSRF) vulnerability has been identified in the vision-language module of LMDeploy, affecting versions prior to 0.12.3. Specifically, the <code>load_image()</code> function in <code>lmdeploy/vl/utils.py</code> lacks proper validation of URLs before fetching images. This allows an attacker to craft malicious requests containing URLs pointing to internal resources, cloud metadata endpoints (like AWS's 169.254.169.254), or other sensitive internal network locations. The server, which binds to <code>0.0.0.0</code> by default and has API keys disabled, becomes an unwitting proxy, enabling the attacker to potentially steal cloud credentials or access internal services that are not exposed to the internet. This issue was tested against the main branch as of February 4, 2026. Orca Security discovered and reported this vulnerability, designated as CVE-2026-33626.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker identifies an LMDeploy server running a vulnerable version with vision-language capabilities enabled.</li>
<li>The attacker crafts a POST request to the <code>/v1/chat/completions</code> endpoint.</li>
<li>Within the request body, the attacker includes a malicious <code>image_url</code> pointing to an internal resource (e.g., <code>http://169.254.169.254/latest/meta-data/iam/security-credentials/</code>).</li>
<li>The LMDeploy server receives the request and, without proper validation, passes the <code>image_url</code> to the <code>load_image()</code> function.</li>
<li>The <code>load_image()</code> function uses the <code>requests.get()</code> method to fetch the resource at the attacker-supplied URL.</li>
<li>The server inadvertently retrieves the content from the internal resource (e.g., cloud metadata).</li>
<li>The attacker receives the sensitive information (e.g., AWS credentials) through a callback server or other means.</li>
<li>The attacker uses the stolen credentials or accessed information to further compromise the system or network.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this SSRF vulnerability can lead to several critical consequences. Attackers can steal cloud credentials from AWS, Azure, or GCP metadata services, granting them unauthorized access to cloud resources. They can also access internal services and resources that are not exposed to the internet, potentially gaining access to sensitive data or control over internal systems. Furthermore, attackers can use the compromised server as a pivot point to perform port scanning and other reconnaissance activities on the internal network, facilitating lateral movement and further attacks.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade LMDeploy to version 0.12.3 or later to patch CVE-2026-33626.</li>
<li>Implement network segmentation to limit the impact of potential SSRF vulnerabilities.</li>
<li>Deploy the Sigma rule &quot;Detect LMDeploy SSRF Attempt to Cloud Metadata&quot; to detect attempts to access cloud metadata endpoints.</li>
<li>Monitor network connections from the LMDeploy server for suspicious outbound traffic to internal IP ranges using the &quot;Detect LMDeploy SSRF Attempt to Internal IP&quot; Sigma rule.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>lmdeploy</category><category>ssrf</category><category>vulnerability</category></item></channel></rss>