AI Threat Alert

CVE-2024-10707: ChuanhuChatGPT: path traversal exposes server files unauthed

UNKNOWN PoC AVAILABLE CISA: TRACK*
Published March 20, 2025
CISO Take

Any self-hosted ChuanhuChatGPT instance is fully exposed: unauthenticated attackers can read arbitrary server files, including API keys for OpenAI/Anthropic stored in .env files. Patch immediately or take offline. Assume compromise and rotate all credentials on affected servers.

What is the risk?

High risk for orgs self-hosting ChuanhuChatGPT. Zero authentication barrier plus network-accessible attack surface means any internet-exposed instance is trivially exploitable. The inherited Gradio CVE-2024-4941 suggests broad impact across Gradio-based ML UIs. Primary exposure: API key theft enabling secondary cloud resource abuse and lateral movement.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
ChuanhuChatGPT pip No patch

Do you use ChuanhuChatGPT? You're affected.

How severe is it?

CVSS 3.1
N/A
EPSS
0.7%
chance of exploitation in 30 days
Higher than 47% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What should I do?

5 steps

  1. Patch: Update chuanhuchatgpt to a version with patched gradio (>=5.9.1 per CVE-2024-4941).

  2. If immediate patching is not possible, restrict access to trusted IPs via firewall/reverse proxy authentication.

  3. Rotate all API keys stored on the server (OpenAI, Anthropic, cloud providers).

  4. Review access logs for POST requests to dataset/upload endpoints containing path traversal patterns (../../).

  5. Detection rule: alert on JSON uploads containing '../' sequences in file path fields.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Auth Bypass Framework API AML.T0025 AML.T0037 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 9 - Risk management system
ISO 42001
A.9.1 - Information security controls for AI systems
NIST AI RMF
GOVERN-6.2 - Policies and procedures for AI system security
OWASP LLM Top 10
LLM06 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2024-10707?

Any self-hosted ChuanhuChatGPT instance is fully exposed: unauthenticated attackers can read arbitrary server files, including API keys for OpenAI/Anthropic stored in .env files. Patch immediately or take offline. Assume compromise and rotate all credentials on affected servers.

Is CVE-2024-10707 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-10707, increasing the risk of exploitation.

How to fix CVE-2024-10707?

1. Patch: Update chuanhuchatgpt to a version with patched gradio (>=5.9.1 per CVE-2024-4941). 2. If immediate patching is not possible, restrict access to trusted IPs via firewall/reverse proxy authentication. 3. Rotate all API keys stored on the server (OpenAI, Anthropic, cloud providers). 4. Review access logs for POST requests to dataset/upload endpoints containing path traversal patterns (../../). 5. Detection rule: alert on JSON uploads containing '../' sequences in file path fields.

What systems are affected by CVE-2024-10707?

This vulnerability affects the following AI/ML architecture patterns: self-hosted LLM chat interfaces, Gradio-based ML UIs, AI development environments.

What is the CVSS score for CVE-2024-10707?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

self-hosted LLM chat interfacesGradio-based ML UIsAI development environments

MITRE ATLAS Techniques

AML.T0025 Exfiltration via Cyber Means
AML.T0037 Data from Local System
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art. 9
ISO 42001: A.9.1
NIST AI RMF: GOVERN-6.2
OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

gaizhenbiao/chuanhuchatgpt version git d4ec6a3 is affected by a local file inclusion vulnerability due to the use of the gradio component gr.JSON, which has a known issue (CVE-2024-4941). This vulnerability allows unauthenticated users to access arbitrary files on the server by uploading a specially crafted JSON file and exploiting the improper input validation in the handle_dataset_selection function.

Exploitation Scenario

Attacker discovers a ChuanhuChatGPT instance via Shodan (port 7860, typical Gradio default) or a shared URL. Without any authentication, they upload a crafted JSON file to the dataset selection endpoint where the file path references ../../../.env or /proc/self/environ. The server returns file contents, exposing the operator's OpenAI API key. Attacker uses the key for their own LLM usage or sells it while the victim incurs charges. Total time to exploit: under 5 minutes with no specialized knowledge.

Weaknesses (CWE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

  • [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
  • [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.

References

Timeline

Published
March 20, 2025
Last Modified
October 15, 2025
First Seen
March 20, 2025

Related Vulnerabilities

CRITICAL CVE-2024-3234 9.8

ChuanhuChatGPT: path traversal exposes LLM API keys

Same package: chuanhuchatgpt
MEDIUM CVE-2023-34094 5.3

ChuanhuChatGPT: config exposure leaks API keys

Same package: chuanhuchatgpt
UNKNOWN CVE-2024-10650

ChuanhuChatGPT: DoS via multipart payload exhaustion

Same package: chuanhuchatgpt
CRITICAL CVE-2025-53767 10.0

Azure OpenAI: SSRF EoP, no auth required (CVSS 10)

Same attack type: Data Extraction
CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same attack type: Data Extraction
Back to Threat Feed