LMDeploy rapidly exploited

LMDeploy, a tool for serving large language models, was exploited in the wild less than 13 hours after CVE-2026-33626 was publicly disclosed on April 24, 2026. (thehackernews.com) The flaw sits in LMDeploy’s vision-language feature, which lets a model fetch an image from a URL and analyze it. In affected versions, that image loader would request arbitrary web addresses without checking whether they pointed to private or internal systems. (github.com) (nvd.nist.gov) That kind of bug is called server-side request forgery, or SSRF: an attacker tricks a server into making requests on the attacker’s behalf. In cloud environments, that can expose metadata services, internal dashboards, and credentials that are not reachable from the public internet. (github.com) (nvd.nist.gov) GitHub’s advisory says all LMDeploy versions before 0.12.3 were affected, with a high-severity score of 7.5. The vulnerable code was in `load_image` inside the vision-language module, and the project’s default network exposure made the bug more dangerous in real deployments. (github.com) The Hacker News reported that the first observed attack hit a honeypot 12 hours and 31 minutes after the GitHub disclosure. The activity was detected at 03:35 a.m. Coordinated Universal Time on April 22, 2026, and came from IP address 103.116.72.119. (thehackernews.com) According to that report, the attacker used 10 requests over an eight-minute session and switched between vision-language models including internlm-xcomposer2 and OpenGVLab/InternVL2-8B. The requests targeted Amazon Web Services Instance Metadata Service, Redis, MySQL, a local administrative interface, and a DNS callback endpoint. (thehackernews.com) The patch trail shows InternLM merged security changes on March 27, 2026, adding URL safety checks and blocking redirects in the media connection code. NIST’s entry says version 0.12.3 fixes the issue. (github.com) (nvd.nist.gov) Those code changes matter because redirects can turn a harmless-looking public URL into a path to a private address like `127.0.0.1` or `169.254.169.254`. The merged fix added explicit safe-URL validation before HTTP fetches and disabled automatic redirects. (github.com) LMDeploy is not a niche side project: its GitHub repository says it is built to compress, deploy, and serve large language models, and the project has about 7,800 stars. That puts a widely used inference component in the same fast-patch cycle long familiar to web servers and developer tools. (github.com) The episode compressed that cycle even further. A bug in an image-loading helper became an internet-facing foothold in half a day, and the fix now is straightforward: upgrade to 0.12.3 and stop exposed model servers from fetching untrusted URLs. (nvd.nist.gov) (github.com)