Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Unauthenticated network SSRF with scope change; confidentiality high via cloud credential theft; no integrity or availability impact on vulnerable system.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
text-generation-inference through 3.3.7 contains a server-side request forgery (SSRF) vulnerability in the OpenAI-compatible multimodal chat completions endpoint that allows unauthenticated network attackers to coerce the server into issuing arbitrary HTTP GET requests by supplying a crafted image_url value in chat message content. The fetch_image function in router/src/validation.rs performs no validation of private, loopback, link-local, or cloud metadata target addresses, and the reqwest HTTP client follows redirects by default, enabling attackers to bypass scheme checks via redirect chains to reach internal services and cloud instance-metadata endpoints for internal port scanning and credential theft.
AnalysisAI
Server-side request forgery in HuggingFace text-generation-inference through version 3.3.7 enables unauthenticated remote attackers to coerce the server into issuing arbitrary outbound HTTP GET requests via a crafted image_url value submitted to the OpenAI-compatible multimodal chat completions endpoint. The fetch_image function in router/src/validation.rs applies no destination validation, and the reqwest client's default redirect-following behavior allows attackers to chain redirects to bypass any scheme-level controls, reaching cloud instance-metadata services (e.g., AWS IMDSv1 at 169.254.169.254) to steal IAM credentials or enumerate internal port services. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The OpenAI-compatible multimodal chat completions endpoint must be network-accessible to the attacker, which is default behavior when TGI is deployed as a public or semi-public inference API. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 6.9 (AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N) accurately captures the threat profile: no authentication is required, network exploitation is straightforward, but the AT:P modifier reflects that full subsequent-system impact (SC:H) depends on the TGI server's network reachability to cloud metadata endpoints or internal HTTP services. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker sends a POST request to the TGI multimodal chat completions endpoint with a chat message containing an image_url set to an attacker-controlled server. That server responds with an HTTP 302 redirect to http://169.254.169.254/latest/meta-data/iam/security-credentials/, causing TGI's reqwest client to follow the redirect and return the AWS IAM role credentials in the server's response. … |
| Remediation | No vendor-released patch version is independently confirmed at time of analysis - the affected CPE range covers all versions through 3.3.7 without specifying a fixed release. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44953
GHSA-c6cx-mj2w-vjcr