Serge
Monthly
Missing authentication in serge-chat serge up to version 1.4TB allows unauthenticated remote attackers to manipulate the download_model and delete_model API endpoints, enabling unauthorized model file deletion and modification through the Model API Endpoint in api/src/serge/routers/model.py. The vulnerability is confirmed to have publicly available exploit code and represents a direct authentication bypass with integrity and availability impact. The vendor did not respond to early disclosure notification.
Missing authentication in serge-chat serge up to version 1.4TB allows unauthenticated remote attackers to manipulate the download_model and delete_model API endpoints, enabling unauthorized model file deletion and modification through the Model API Endpoint in api/src/serge/routers/model.py. The vulnerability is confirmed to have publicly available exploit code and represents a direct authentication bypass with integrity and availability impact. The vendor did not respond to early disclosure notification.