NextChat Vulnerability Affects ChatGPT-Next-Web, Server-Side Request Forgery and Cross-Site Scripting Attacks Possible
CVE-2023-49785

9.8CRITICAL

Key Information:

Vendor

Chatgptnextweb

Status
Nextchat
Vendor
CVE Published:
12 March 2024

Badges

πŸ“ˆ TrendedπŸ“ˆ Score: 4,610🟣 EPSS 92%πŸ“° News Worthy

What is CVE-2023-49785?

CVE-2023-49785 is a vulnerability affecting NextChat, also known as ChatGPT-Next-Web, which is a cross-platform interface designed for interaction with the ChatGPT AI model. This vulnerability allows attackers to perform server-side request forgery (SSRF) and cross-site scripting (XSS) attacks, potentially leading to unauthorized access to internal systems and data manipulation. Organizations utilizing this product could face significant security threats, including data breaches and unauthorized actions taken within their internal networks.

Technical Details

The flaw exists in versions 2.11.2 and earlier of NextChat, where the vulnerability can be exploited through both read and write access to internal HTTP endpoints. Attackers could leverage HTTP methods like POST and PUT to manipulate data or to proxy traffic from their source IP, masking their identity while targeting other internet resources. As of the latest reports, no official patch has been released to address this vulnerability, and users are advised to take alternative measures to secure their applications.

Impact of the Vulnerability

  1. Internal Data Exposure: The vulnerability facilitates unauthorized access to sensitive internal HTTP endpoints, which could lead to the leakage of confidential organizational data.

  2. Data Manipulation Risks: With write access enabled, attackers can perform unauthorized actions on the system, which may severely disrupt operations and affect the integrity of data.

  3. Proxy for Malicious Activities: By masking their actual source IPs, attackers can use the affected system to conduct further malicious activities against other targets, complicating incident response and attribution efforts for organizations.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

NextChat 0 <= 2.11.2

News Articles

favicon imagePentest-Tools.com

ChatGPT-Next-Web - SSRF/XSS (CVE-2023-49785)

Full-Read SSRF/XSS in NextChat, aka ChatGPT-Next-Web\n.

favicon imageTarlogic

CVE-2023-49785: Vulnerability in NextChat

CVE-2023-49785 is a critical vulnerability affecting NextChat, an application that provides users with a web interface based on ChatGPT

favicon imageHorizon3.ai

NextChat: An AI Chatbot That Lets You Talk to Anyone You Want To – Horizon3.ai

NextChat a.k.a ChatGPT-Next-Web, a popular Gen AI ChatBot, is vulnerable to a critical server-side request forgery (SSRF) vulnerability.

References

https://www.horizon3.ai/attack-research/attack-blogs/next...
https://github.com/ChatGPTNextWeb/ChatGPT-Next-Web

EPSS Score

92% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • πŸ“ˆ

    Vulnerability started trending

  • Vulnerability published

  • πŸ“°

    First article discovered by Horizon3.ai

JSON
.