CVE-2023-34094: ChuanhuChatGPT: config exposure leaks API keys

MEDIUM PoC AVAILABLE
Published June 2, 2023
CISO Take

ChuanhuChatGPT deployments without authentication configured expose their config.json file to any unauthenticated network attacker, directly leaking LLM API keys stored in plaintext. The attack is trivial — no credentials, no user interaction, just a network request — and the exposed file typically contains API keys for OpenAI or other LLM providers. While not in CISA KEV and scored medium (CVSS 5.3), the practical blast radius exceeds the rating: stolen keys enable unauthorized model inference, cost harvesting against the victim's account, and potential access to associated provider resources such as fine-tuned models or uploaded files. Update to commit bfac445 or later, enable access authentication immediately, and rotate any API keys that may have been exposed.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

Practical risk exceeds the CVSS 5.3 medium rating. All four network-facing exploitability factors are worst-case: AV:N, AC:L, PR:N, UI:N — making this trivially exploitable by any unauthenticated actor with network reach. The real damage is downstream: stolen LLM API keys enable cost harvesting, unauthorized inference, and potential pivot into associated provider accounts. Self-hosted deployments in enterprise or research environments assuming network perimeter protection are silently exposed if the service is accidentally internet-facing or if an internal threat actor is present.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
ChuanhuChatGPT pip No patch

Do you use ChuanhuChatGPT? You're affected.

How severe is it?

CVSS 3.1
5.3 / 10
EPSS
0.6%
chance of exploitation in 30 days
Higher than 46% of all CVEs
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C Low
I None
A None

What should I do?

5 steps
  1. Patch: upgrade to commit bfac445 or any release after 20230526 — the vulnerability is fixed there.

  2. Workaround: enable access authentication on all ChuanhuChatGPT deployments immediately; do not rely on network perimeter alone.

  3. Key rotation: rotate all LLM API keys stored in config.json for any instance potentially reachable from untrusted networks.

  4. Detection: audit web server access logs for GET requests to config.json; any HTTP 200 response to an unexpected IP indicates potential compromise.

  5. Inventory: scan internal network for unauthenticated ChuanhuChatGPT instances via port scanning and UI fingerprinting.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2 - AI system information security controls
NIST AI RMF
GOVERN 6.2 - Organizational policies for AI risk management
OWASP LLM Top 10
LLM06 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2023-34094?

ChuanhuChatGPT deployments without authentication configured expose their config.json file to any unauthenticated network attacker, directly leaking LLM API keys stored in plaintext. The attack is trivial — no credentials, no user interaction, just a network request — and the exposed file typically contains API keys for OpenAI or other LLM providers. While not in CISA KEV and scored medium (CVSS 5.3), the practical blast radius exceeds the rating: stolen keys enable unauthorized model inference, cost harvesting against the victim's account, and potential access to associated provider resources such as fine-tuned models or uploaded files. Update to commit bfac445 or later, enable access authentication immediately, and rotate any API keys that may have been exposed.

Is CVE-2023-34094 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2023-34094, increasing the risk of exploitation.

How to fix CVE-2023-34094?

1. Patch: upgrade to commit bfac445 or any release after 20230526 — the vulnerability is fixed there. 2. Workaround: enable access authentication on all ChuanhuChatGPT deployments immediately; do not rely on network perimeter alone. 3. Key rotation: rotate all LLM API keys stored in config.json for any instance potentially reachable from untrusted networks. 4. Detection: audit web server access logs for GET requests to config.json; any HTTP 200 response to an unexpected IP indicates potential compromise. 5. Inventory: scan internal network for unauthenticated ChuanhuChatGPT instances via port scanning and UI fingerprinting.

What systems are affected by CVE-2023-34094?

This vulnerability affects the following AI/ML architecture patterns: self-hosted LLM chat interfaces, LLM framework deployments, AI tool configuration management.

What is the CVSS score for CVE-2023-34094?

CVE-2023-34094 has a CVSS v3.1 base score of 5.3 (MEDIUM). The EPSS exploitation probability is 0.62%.

What is the AI security impact?

Affected AI Architectures

self-hosted LLM chat interfacesLLM framework deploymentsAI tool configuration management

MITRE ATLAS Techniques

AML.T0040 AI Model Inference API Access
AML.T0049 Exploit Public-Facing Application
AML.T0055 Unsecured Credentials
AML.T0083 Credentials from AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.2
NIST AI RMF: GOVERN 6.2
OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

ChuanhuChatGPT is a graphical user interface for ChatGPT and many large language models. A vulnerability in versions 20230526 and prior allows unauthorized access to the config.json file of the privately deployed ChuanghuChatGPT project, when authentication is not configured. The attacker can exploit this vulnerability to steal the API keys in the configuration file. The vulnerability has been fixed in commit bfac445. As a workaround, setting up access authentication can help mitigate the vulnerability.

Exploitation Scenario

An attacker scans internet-facing hosts for ChuanhuChatGPT deployments identifiable by UI fingerprinting or known default ports. On a deployment without authentication configured, they issue a direct HTTP GET to the config.json endpoint. The server returns the file in plaintext, including OpenAI or other LLM provider API keys. The attacker then uses these keys to run automated workloads under the victim's account — exhausting API credits, querying the model with sensitive prompts, or enumerating provider-side assets such as fine-tuned models and uploaded files. If the key carries organization-level permissions, the attacker gains visibility into the full API usage history and any data stored with the provider.

Weaknesses (CWE)

CWE-306 — Missing Authentication for Critical Function: The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

  • [Architecture and Design] Divide the software into anonymous, normal, privileged, and administrative areas. Identify which of these areas require a proven user identity, and use a centralized authentication capability. Identify all potential communication channels, or other means of interaction with the software, to ensure that all channels are appropriately protected, including those channels that are assumed to be accessible only by authorized parties. Developers sometimes perform authentication at the primary channel, but open up a secondary channel that is assumed to be private. For example, a login mechanism may be listening on one network port, but after successful authentication, it may open up a second port where it waits for the connection, but avoids authentication because it assumes that only the authenticated party will connect to the port. In general, if the software or protocol allows a single session or user state to persist across multiple connections or channels, authentication and appropriate
  • [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Timeline

Published
June 2, 2023
Last Modified
November 21, 2024
First Seen
June 2, 2023

Related Vulnerabilities