ChatGPT-Next-Web SSRF Vulnerability Permits Server Access Attack

Overview of the Vulnerability

A critical Server-Side Request Forgery (SSRF) vulnerability, identified as CVE-2023-49785, has been discovered in the widely deployed standalone Gen AI chatbot application, ChatGPT-Next-Web. This GitHub project, which has garnered over 63,000 stars and 52,000 forks, is now a significant security concern due to the SSRF issue that allows attackers to gain full read and write access to the server.

Details of the SSRF Vulnerability

The SSRF vulnerability in ChatGPT-Next-Web versions 2.11.2 and prior enables attackers to send crafted requests from the vulnerable server to itself or to other backend systems that the server can communicate with, potentially leading to unauthorized access and control over sensitive data and system functionality. This vulnerability is particularly dangerous as it can be exploited remotely without any form of authentication.

Unveiling the SSRF Vulnerability in Popular AI Chatbot

In a groundbreaking discovery, cybersecurity researchers have identified a critical Server-Side Request Forgery (SSRF) vulnerability, CVE-2023-49785, in ChatGPT-Next-Web, also known as NextChat. This popular standalone AI chatbot application, widely deployed with over 7,500 instances primarily in China and the US, is now at risk of allowing attackers to gain unauthorized access to internal systems and data.

The Dual Nature of Standalone AI Chatbots

While standalone AI chatbots like NextChat offer enhanced user interfaces and additional features over cloud-based alternatives, they also introduce significant security risks.

The identified SSRF vulnerability enables attackers to exploit the application to access internal HTTP endpoints, download full responses from targeted endpoints, and potentially compromise the entire network connected to the application.

Technical Insights into the Vulnerability

The vulnerability stems from an endpoint named “/api/cors” in the NextChat application, which acts as an open proxy allowing unauthorized requests to external servers. Originally designed to facilitate saving chat data on WebDAV servers, this endpoint inadvertently bypasses browser security measures, enabling attackers to craft requests that the application forwards blindly.

This flaw not only permits access to sensitive internal resources but also allows attackers to employ various HTTP methods with custom request bodies, manipulate URL parameters, and include authorization headers within requests.

The discovery of the SSRF vulnerability in ChatGPT-Next-Web highlights the importance of continuous vigilance and proactive security measures in protecting web applications and servers from cyber threats. Organizations are urged to stay informed about such vulnerabilities and to take appropriate actions to safeguard their digital assets.

Additional Threat: Reflected XSS Vulnerability

In addition to the SSRF vulnerability, a specific reflected Cross-Site Scripting (XSS) vulnerability has been identified. This flaw exploits the application’s /api/cors endpoint, allowing attackers to inject malicious payloads that execute in the victim’s browser, further compromising the security of users.

The SSRF vulnerability poses a significant risk to organizations using ChatGPT-Next-Web, as it can be exploited to gain unauthorized access to internal systems. This could lead to data breaches, disruption of services, and other malicious activities. The presence of over 7,500 exposed instances of the application, primarily in China and the US, underscores the widespread impact of this security flaw.

Timeline of Disclosure and Mitigation Efforts

The vulnerability was reported to the vendor in November 2023, but despite the lapse of over 90 days, no patch has been released. In light of the potential risks, the technical details of the vulnerability have been publicly disclosed to alert the community and encourage immediate protective measures.

  • November 25, 2023: Horizon3.ai reported the security issue to ChatGPT-Next-Web via GitHub’s vulnerability disclosure process.
  • November 26, 2023: The vendor acknowledged the report.
  • December 6, 2023: GitHub CNA reserved CVE-2023-49785 for the vulnerability.
  • January 15, 2024: Horizon3.ai followed up with the vendor for an update but received no response.

As of the date of this press release, more than 90 days have passed since the initial report, and there is still no patch available for the vulnerability.

Recommendations for Users and Administrators

Given the absence of a patch, users and administrators are advised to exercise caution when using ChatGPT-Next-Web, especially in online environments. If internet exposure is unavoidable, deploying the software in a secure, isolated network without access to internal resources is recommended. Staying informed about updates and patches is crucial for mitigating the risks associated with this vulnerability.

In the absence of a patch, it is recommended that organizations using ChatGPT-Next-Web take immediate steps to mitigate the risk. This includes monitoring for any unusual activity on servers running the application, implementing network segmentation to limit the reach of potential attackers, and conducting regular security assessments to identify and address vulnerabilities.

The discovery of the SSRF vulnerability in ChatGPT-Next-Web highlights the ongoing challenges in securing AI chatbot applications against sophisticated cyber threats. As the line between personal and corporate use of such technologies continues to blur, the importance of robust cybersecurity measures and prompt vulnerability management cannot be overstated.

Leave A Comment