CVE-2026-6607

Summary

A security vulnerability has been detected in lm-sys fastchat up to 0.2.36. This issue affects the function api_generate of the component Worker API Endpoint. The manipulation leads to resource consumption. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The identifier of the patch is c9e84b89c91d45191dc24466888de526fa04cf33. It is suggested to install a patch to address this issue. Commit ff66426 patched this issue in api_generate of base_model_worker.py and did miss other entry points.

Affected Software

VendorProductVersion RangeStatus
lm-sysfastchat0.2.0affected
lm-sysfastchat0.2.1affected
lm-sysfastchat0.2.2affected
lm-sysfastchat0.2.3affected
lm-sysfastchat0.2.4affected
lm-sysfastchat0.2.5affected
lm-sysfastchat0.2.6affected
lm-sysfastchat0.2.7affected
lm-sysfastchat0.2.8affected
lm-sysfastchat0.2.9affected
lm-sysfastchat0.2.10affected
lm-sysfastchat0.2.11affected
lm-sysfastchat0.2.12affected
lm-sysfastchat0.2.13affected
lm-sysfastchat0.2.14affected
lm-sysfastchat0.2.15affected
lm-sysfastchat0.2.16affected
lm-sysfastchat0.2.17affected
lm-sysfastchat0.2.18affected
lm-sysfastchat0.2.19affected
lm-sysfastchat0.2.20affected
lm-sysfastchat0.2.21affected
lm-sysfastchat0.2.22affected
lm-sysfastchat0.2.23affected
lm-sysfastchat0.2.24affected
lm-sysfastchat0.2.25affected
lm-sysfastchat0.2.26affected
lm-sysfastchat0.2.27affected
lm-sysfastchat0.2.28affected
lm-sysfastchat0.2.29affected
lm-sysfastchat0.2.30affected
lm-sysfastchat0.2.31affected
lm-sysfastchat0.2.32affected
lm-sysfastchat0.2.33affected
lm-sysfastchat0.2.34affected
lm-sysfastchat0.2.35affected
lm-sysfastchat0.2.36affected

Weaknesses

  • CWE-400: Resource Consumption
  • CWE-404: Denial of Service

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

References