CVE-2024-3234: ChuanhuChatGPT: path traversal exposes LLM API keys

CRITICAL PoC AVAILABLE NUCLEI TEMPLATE CISA: ATTEND

Published June 6, 2024

CISO Take

Any self-hosted ChuanhuChatGPT instance exposes its config.json—including LLM provider API keys—to unauthenticated remote attackers via a trivial path traversal. Rotate all API keys immediately on affected deployments, upgrade to the version released post-2024-03-05, and block external access until patched. Assume API keys are compromised on any unpatched internet-facing instance.

What is the risk?

CVSS 9.8 with no authentication, no user interaction, and network accessibility makes this exploitable by any opportunistic attacker—no AI/ML knowledge required. The blast radius extends well beyond the application: stolen LLM API keys enable unauthorized usage at the victim's expense, access to other services sharing the key, and potential data exfiltration from connected AI backends. Self-hosted AI chat interfaces are routinely deployed by development and research teams with minimal security hardening, significantly increasing real-world exposure. The chained dependency on CVE-2023-51449 (already public) means exploit code is likely available.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
ChuanhuChatGPT	pip	—	No patch

Do you use ChuanhuChatGPT? You're affected.

How severe is it?

CVSS 3.1

9.8 / 10

EPSS

3.8%

chance of exploitation in 30 days

Higher than 88% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

○ Nuclei detection template available

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

What should I do?

6 steps

IMMEDIATE

Rotate all API keys stored in config.json on any deployed instance—treat them as fully compromised.
PATCH

Upgrade ChuanhuChatGPT to the version post-2024-03-05 (commit 6b8f7db347b390f6f8bd07ea2a4ef01a47382f00) which pins a patched Gradio version.
DETECT

Review LLM provider API usage logs for anomalous call volumes, unexpected geographic origins, or off-hours activity.
HARDEN

Never store API keys in web-accessible config files; use environment variables or a secrets manager (Vault, AWS Secrets Manager).
RESTRICT

Place self-hosted AI UIs behind VPN or IP allowlist—never expose Gradio interfaces directly to the internet.
AUDIT

Parse web server access logs for path traversal patterns: requests containing '../', '%2e%2e', or '%252e%252e' sequences targeting the application.

What does CISA's SSVC say?

Decision Attend

Exploitation poc

Automatable Yes

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Auth Bypass Data Leakage Framework API AML.T0025 - Exfiltration via Cyber Means AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials AML.T0106 - Exploitation for Credential Access

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.9.3 - AI system security

NIST AI RMF

MANAGE 2.2 - Mechanisms are in place to sustain risk management over the AI lifecycle

OWASP LLM Top 10

LLM02 - Sensitive Information Disclosure LLM03 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2024-3234?

Is CVE-2024-3234 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-3234, increasing the risk of exploitation.

How to fix CVE-2024-3234?

1. IMMEDIATE: Rotate all API keys stored in config.json on any deployed instance—treat them as fully compromised. 2. PATCH: Upgrade ChuanhuChatGPT to the version post-2024-03-05 (commit 6b8f7db347b390f6f8bd07ea2a4ef01a47382f00) which pins a patched Gradio version. 3. DETECT: Review LLM provider API usage logs for anomalous call volumes, unexpected geographic origins, or off-hours activity. 4. HARDEN: Never store API keys in web-accessible config files; use environment variables or a secrets manager (Vault, AWS Secrets Manager). 5. RESTRICT: Place self-hosted AI UIs behind VPN or IP allowlist—never expose Gradio interfaces directly to the internet. 6. AUDIT: Parse web server access logs for path traversal patterns: requests containing '../', '%2e%2e', or '%252e%252e' sequences targeting the application.

What systems are affected by CVE-2024-3234?

This vulnerability affects the following AI/ML architecture patterns: Self-hosted AI chat interfaces, Gradio-based ML UI deployments, API key-dependent AI services, Internal LLM chatbot deployments.

What is the CVSS score for CVE-2024-3234?

CVE-2024-3234 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 3.76%.

What is the AI security impact?

Affected AI Architectures

Self-hosted AI chat interfacesGradio-based ML UI deploymentsAPI key-dependent AI servicesInternal LLM chatbot deployments

MITRE ATLAS Techniques

AML.T0025 Exfiltration via Cyber Means

AML.T0037 Data from Local System

AML.T0049 Exploit Public-Facing Application

AML.T0055 Unsecured Credentials

AML.T0106 Exploitation for Credential Access

Compliance Controls Affected

EU AI Act: Art. 15

ISO 42001: A.9.3

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM02, LLM03

What are the technical details?

Original Advisory

The gaizhenbiao/chuanhuchatgpt application is vulnerable to a path traversal attack due to its use of an outdated gradio component. The application is designed to restrict user access to resources within the `web_assets` folder. However, the outdated version of gradio it employs is susceptible to path traversal, as identified in CVE-2023-51449. This vulnerability allows unauthorized users to bypass the intended restrictions and access sensitive files, such as `config.json`, which contains API keys. The issue affects the latest version of chuanhuchatgpt prior to the fixed version released on 20240305.

Exploitation Scenario

An attacker scans Shodan or Censys for publicly exposed Gradio interfaces on ports 7860-7861, identifying ChuanhuChatGPT instances. Leveraging the published CVE-2023-51449 path traversal technique against the outdated bundled Gradio, they craft an HTTP GET request that escapes the web_assets directory and retrieves config.json in a single unauthenticated request. The OpenAI API key is extracted in seconds and immediately used to run LLM queries at the victim's expense or resold. In targeted scenarios, the attacker uses the key to access organizational chat histories stored in connected services, or pivots to other cloud resources if the key has overly broad permissions.

Weaknesses (CWE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

[Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
[Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.