Unauthorized Deletion of User Chats and Critical Files
A vulnerability in ChuanhuChatGPT version 20240410 allows any user to delete other users' chat histories and critical files, leading to a denial of service. This issue has not yet been patched.
Available publicly on Jun 21 2024
Threat Overview
The vulnerability allows any authenticated user to perform unauthorized deletions of other users' chat histories and critical system files by exploiting a path traversal flaw. This can lead to significant data loss and denial of service, as essential files like config.json can be deleted, rendering the service inoperable.
Attack Scenario
An attacker can exploit this vulnerability by sending a crafted POST request to the server, specifying the path of the file or chat history they wish to delete. For example, by targeting the config.json file, the attacker can cause a denial of service by preventing any user from authenticating to the service.
Who is affected
All users of ChuanhuChatGPT version 20240410 are affected, as any authenticated user can exploit this vulnerability to delete other users' data and critical system files.
Technical Report
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.