Cyber Posture

CVE-2024-8613

HighPublic PoC

Published: 20 March 2025

Published
20 March 2025
Modified
15 October 2025
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0025 48.5th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.

Security Summary

CVE-2024-8613 is a vulnerability in gaizhenbiao/chuanhuchatgpt version 20240802 that enables attackers to access, copy, and delete other users' chat histories. The issue stems from improper handling of session data combined with a lack of access control mechanisms, allowing unauthorized viewing and manipulation of chat histories belonging to other users. It has been assigned a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-639.

The vulnerability can be exploited by attackers who have low privileges, such as authenticated users on the system, over a network connection with low attack complexity and no requirement for user interaction. Successful exploitation grants high-impact access to sensitive chat history data, enabling the attacker to read confidential conversations (high confidentiality impact), modify or copy them (high integrity impact), and delete them (high availability impact).

Advisories point to a fix via a commit in the project's GitHub repository at https://github.com/gaizhenbiao/chuanhuchatgpt/commit/526c615c437377ee9c71f866fd0f19011910f705, with additional details and a bounty report available on Huntr at https://huntr.com/bounties/76258774-b011-4044-9c3d-c2609b1cbd29. Security practitioners should update to a patched version to mitigate the risks.

Details

CWE(s)
CWE-639NVD-CWE-noinfo

Affected Products

gaizhenbiao
chuanhuchatgpt
20240802

AI Security Analysis

AI Category
Enterprise AI Assistants
Risk Domain
Privacy and Disclosure
OWASP Top 10 for LLMs 2025
None mapped
MITRE ATLAS Techniques
None mapped
Classification Reason
chuanhuchatgpt is a self-hosted web-based AI chat interface (ChatGPT-like), functioning as an enterprise-style AI assistant platform, with the vulnerability in its user session and access controls for chat histories.

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1213.005 Messaging Applications Collection
Adversaries may leverage chat and messaging applications, such as Microsoft Teams, Google Chat, and Slack, to mine valuable information.
attack.mitre.org →
T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
attack.mitre.org →
Why these techniques?

Vulnerability enables exploitation of public-facing application (T1190) for unauthorized collection of chat histories from a messaging application (T1213.005) and data destruction via deletion (T1485).

References