# FastChat — SSRF via unvalidated image URL fetching in chat flow
STATUS: ALMOST_REPORT (needs investigation; do not submit)
readiness: NEEDS_INVESTIGATION
program: FastChat | platform: huntr | repo: lm-sys/FastChat | commit: 2026-02-12-scan

````
Repository URL: https://github.com/lm-sys/FastChat
Package Manager: pip
Version Affected: latest (observed in 2026-02-12 scan)
Vulnerability Type: Server-Side Request Forgery (SSRF)
CVSS:
  Attack Vector: Network
  Attack Complexity: Low
  Privileges Required: Low
  User Interaction: None
  Scope: Changed
  Confidentiality: Low
  Integrity: None
  Availability: Low
Title: load_image fetches attacker-supplied URLs with no SSRF validation
Impact: Enables SSRF for internal network probing and potentially metadata access. Exfiltration is somewhat constrained by image parsing behavior, but request primitive remains exploitable.
Description:

# Description

FastChat's image handling utility fetches arbitrary URLs from user-provided `image_url` values and is called in worker request paths without destination validation.

The scan notes `sglang_worker` passes user-controlled image URLs into `load_image(images[i])`, enabling server-side requests to internal targets.

# Proof of Concept

1. Submit a chat/completion request containing an image URL field.
2. Set `image_url` to a collaborator endpoint to confirm backend fetch.
3. Repeat with internal target (e.g., metadata/internal service URL).

Example target URL:

```text
http://169.254.169.254/latest/meta-data/
```

Expected vulnerable behavior: FastChat worker attempts to fetch attacker-specified URL server-side.

### Impact

Enables SSRF for internal network probing and potentially metadata access. Exfiltration is somewhat constrained by image parsing behavior, but request primitive remains exploitable.

### Occurrences

```
Permalink: https://github.com/lm-sys/FastChat/blob/main/fastchat/utils.py#L394
Description: load_image fetches remote image URL without SSRF checks
```

### References

```
URL: https://cwe.mitre.org/data/definitions/918.html
Name: CWE-918: Server-Side Request Forgery

URL: https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
Name: OWASP SSRF
```

Occurrences:
  Permalink: https://github.com/lm-sys/FastChat/blob/main/fastchat/utils.py#L394
  Description: load_image fetches remote image URL without SSRF checks
References:
  URL: https://cwe.mitre.org/data/definitions/918.html
  Name: CWE-918: Server-Side Request Forgery
  URL: https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
  Name: OWASP SSRF
````