PyPI: fschat
CVE-2024-10908
Safety vulnerability ID: SFTY-20250320-15555
Safety legacy ID: pyup.io-76278
Affected versions of the lm-sys FastChat package are vulnerable to Open Redirect. The application fails to properly validate and sanitize user-supplied URL parameters, leading to unauthorized redirection. A remote unauthenticated attacker can exploit this vulnerability by crafting a malicious URL with a specially crafted redirect parameter, resulting in users being redirected to arbitrary external websites, which can facilitate phishing attacks, malware distribution, and credential theft.
Overview
FastChat open redirect vulnerability
Advisory
Affected versions of the lm-sys FastChat package are vulnerable to Open Redirect. The application fails to properly validate and sanitize user-supplied URL parameters, leading to unauthorized redirection. A remote unauthenticated attacker can exploit this vulnerability by crafting a malicious URL with a specially crafted redirect parameter, resulting in users being redirected to arbitrary external websites, which can facilitate phishing attacks, malware distribution, and credential theft.
How to Fix
We recommend updating fschat to the latest non-vulnerable version.
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20250320-15555/CVE-2024-10908
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-10908
- https://github.com/advisories/GHSA-77cj-rv5x-v6r2
- https://nvd.nist.gov/vuln/detail/CVE-2024-10908
- https://huntr.com/bounties/61f5e725-5579-4d08-8a88-e4ba04e6d1f2
- https://github.com/advisories/GHSA-77cj-rv5x-v6r2
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more