Executive Summary

This vulnerability exists in the lm-sys fastchat software up to version 0.2.36, specifically in the add_text function of the Arena Side-by-Side View Handler component.

The issue causes incorrect control flow within the application, which means the program may behave in unintended ways when processing certain inputs.

An attacker can exploit this vulnerability remotely, and the exploit code is publicly available.

Although a fix was applied in one file (gradio_block_arena_named.py), three other related files were not fixed, leaving the vulnerability partially unresolved.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability allows remote attackers to manipulate the control flow of the affected software, potentially causing it to behave incorrectly.

According to the CVSS scores, the impact is limited to integrity (I:L) with no impact on confidentiality or availability.

This means an attacker could potentially alter data or operations within the application but cannot access confidential information or cause denial of service.

Useful 0 Not Useful 0

Compliance Impact

CVE-2026-6608 is a content moderation bypass vulnerability in FastChat's Arena side-by-side chat modes that allows harmful or policy-violating content generated by one of the models (Model B) to persist unmoderated. This flaw enables users to circumvent content moderation filters, potentially exposing users to inappropriate or harmful content on public platforms.

While the provided resources do not explicitly mention compliance with specific standards or regulations such as GDPR or HIPAA, the presence of unmoderated harmful content could lead to violations of content policies and regulatory requirements related to user safety, data protection, and responsible AI use. Organizations using affected versions of FastChat might face increased risk of non-compliance due to failure to adequately moderate and control harmful content.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability is related to incorrect or missing moderation of conversation history in FastChat's Arena side-by-side chat modes. Detection involves verifying whether the moderation filter properly includes the full conversation history from both models (Model A and Model B) before each user turn.

Specifically, you can check the source code of the FastChat installation to see if the files `gradio_block_arena_anony.py`, `gradio_block_arena_vision_named.py`, and `gradio_block_arena_vision_anony.py` contain the known bugs:

• In `gradio_block_arena_anony.py` and `gradio_block_arena_vision_named.py`, verify if both conversation histories are fetched from `states[0]` instead of `states[0]` and `states[1]`.
• In `gradio_block_arena_vision_anony.py`, check if the combined conversation history (`all_conv_text`) is constructed and passed to the moderation function, or if only the current user input is passed twice.

To detect exploitation attempts on your system or network, monitor logs or traffic for suspicious multi-turn conversations where moderation is bypassed, especially in the Anonymous Arena mode.

Since this is a code-level vulnerability, detection commands would involve searching the source code for the incorrect array indexing or missing conversation history concatenation. For example, you can use grep commands in the FastChat source directory:

• grep -r "states[0].conv.get_prompt()" path_to_fastchat/ | grep -v 'states[1]'
• grep -r "moderate_input" path_to_fastchat/ | grep -v 'all_conv_text'

These commands help identify files where Model B's conversation history is not properly referenced or where the moderation input does not include the full conversation history.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation involves applying the fixes described for the vulnerability to ensure the moderation filter correctly includes the full conversation history from both models.

• For the files `gradio_block_arena_anony.py` and `gradio_block_arena_vision_named.py`, change the right-side model’s conversation history reference from `states[0]` to `states[1]`.
• For `gradio_block_arena_vision_anony.py`, construct the combined conversation history by concatenating both models’ conversation histories and pass this combined text to the moderation function instead of only the current user input.

If you are using a public or third-party deployment of FastChat, check for updates or patches that address this issue, as the vulnerability was partially fixed in commit 34eca62 but remains in other files.

Additionally, consider temporarily disabling or restricting access to the affected Arena side-by-side modes, especially the Anonymous Arena mode, until the fixes are applied.

Monitor your system for any suspicious activity that might exploit this content moderation bypass.

Useful 0 Not Useful 0