AI Threat Alert AI Threat Alert

CVE-2024-3234: ChuanhuChatGPT: path traversal exposes LLM API keys

CRITICAL PoC AVAILABLE NUCLEI TEMPLATE CISA: ATTEND
Published June 6, 2024
CISO Take

Any self-hosted ChuanhuChatGPT instance exposes its config.json—including LLM provider API keys—to unauthenticated remote attackers via a trivial path traversal. Rotate all API keys immediately on affected deployments, upgrade to the version released post-2024-03-05, and block external access until patched. Assume API keys are compromised on any unpatched internet-facing instance.

Risk Assessment

CVSS 9.8 with no authentication, no user interaction, and network accessibility makes this exploitable by any opportunistic attacker—no AI/ML knowledge required. The blast radius extends well beyond the application: stolen LLM API keys enable unauthorized usage at the victim's expense, access to other services sharing the key, and potential data exfiltration from connected AI backends. Self-hosted AI chat interfaces are routinely deployed by development and research teams with minimal security hardening, significantly increasing real-world exposure. The chained dependency on CVE-2023-51449 (already public) means exploit code is likely available.

Affected Systems

Package Ecosystem Vulnerable Range Patched
chuanhuchatgpt pip No patch

Do you use chuanhuchatgpt? You're affected.

Severity & Risk

CVSS 3.1
9.8 / 10
EPSS
84.0%
chance of exploitation in 30 days
Higher than 99% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Nuclei detection template available
EPSS exploit prediction: 84%
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A High

Recommended Action

6 steps

  1. IMMEDIATE

    Rotate all API keys stored in config.json on any deployed instance—treat them as fully compromised.

  2. PATCH

    Upgrade ChuanhuChatGPT to the version post-2024-03-05 (commit 6b8f7db347b390f6f8bd07ea2a4ef01a47382f00) which pins a patched Gradio version.

  3. DETECT

    Review LLM provider API usage logs for anomalous call volumes, unexpected geographic origins, or off-hours activity.

  4. HARDEN

    Never store API keys in web-accessible config files; use environment variables or a secrets manager (Vault, AWS Secrets Manager).

  5. RESTRICT

    Place self-hosted AI UIs behind VPN or IP allowlist—never expose Gradio interfaces directly to the internet.

  6. AUDIT

    Parse web server access logs for path traversal patterns: requests containing '../', '%2e%2e', or '%252e%252e' sequences targeting the application.

CISA SSVC Assessment

Decision Attend
Exploitation poc
Automatable Yes
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Auth Bypass Data Leakage Framework API AML.T0025 AML.T0037 AML.T0049 AML.T0055 AML.T0106

Compliance Impact

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.9.3 - AI system security
NIST AI RMF
MANAGE 2.2 - Mechanisms are in place to sustain risk management over the AI lifecycle
OWASP LLM Top 10
LLM02 - Sensitive Information Disclosure LLM03 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2024-3234?

Any self-hosted ChuanhuChatGPT instance exposes its config.json—including LLM provider API keys—to unauthenticated remote attackers via a trivial path traversal. Rotate all API keys immediately on affected deployments, upgrade to the version released post-2024-03-05, and block external access until patched. Assume API keys are compromised on any unpatched internet-facing instance.

Is CVE-2024-3234 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-3234, increasing the risk of exploitation.

How to fix CVE-2024-3234?

1. IMMEDIATE: Rotate all API keys stored in config.json on any deployed instance—treat them as fully compromised. 2. PATCH: Upgrade ChuanhuChatGPT to the version post-2024-03-05 (commit 6b8f7db347b390f6f8bd07ea2a4ef01a47382f00) which pins a patched Gradio version. 3. DETECT: Review LLM provider API usage logs for anomalous call volumes, unexpected geographic origins, or off-hours activity. 4. HARDEN: Never store API keys in web-accessible config files; use environment variables or a secrets manager (Vault, AWS Secrets Manager). 5. RESTRICT: Place self-hosted AI UIs behind VPN or IP allowlist—never expose Gradio interfaces directly to the internet. 6. AUDIT: Parse web server access logs for path traversal patterns: requests containing '../', '%2e%2e', or '%252e%252e' sequences targeting the application.

What systems are affected by CVE-2024-3234?

This vulnerability affects the following AI/ML architecture patterns: Self-hosted AI chat interfaces, Gradio-based ML UI deployments, API key-dependent AI services, Internal LLM chatbot deployments.

What is the CVSS score for CVE-2024-3234?

CVE-2024-3234 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 83.96%.

Technical Details

NVD Description

The gaizhenbiao/chuanhuchatgpt application is vulnerable to a path traversal attack due to its use of an outdated gradio component. The application is designed to restrict user access to resources within the `web_assets` folder. However, the outdated version of gradio it employs is susceptible to path traversal, as identified in CVE-2023-51449. This vulnerability allows unauthorized users to bypass the intended restrictions and access sensitive files, such as `config.json`, which contains API keys. The issue affects the latest version of chuanhuchatgpt prior to the fixed version released on 20240305.

Exploitation Scenario

An attacker scans Shodan or Censys for publicly exposed Gradio interfaces on ports 7860-7861, identifying ChuanhuChatGPT instances. Leveraging the published CVE-2023-51449 path traversal technique against the outdated bundled Gradio, they craft an HTTP GET request that escapes the web_assets directory and retrieves config.json in a single unauthenticated request. The OpenAI API key is extracted in seconds and immediately used to run LLM queries at the victim's expense or resold. In targeted scenarios, the attacker uses the key to access organizational chat histories stored in connected services, or pivots to other cloud resources if the key has overly broad permissions.

Weaknesses (CWE)

CWE-22

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
June 6, 2024
Last Modified
November 21, 2024
First Seen
June 6, 2024

Scanner Template Available

A Nuclei vulnerability scanner template exists for this CVE. You can scan your infrastructure for this vulnerability immediately.

View template on GitHub
nuclei -t http/cves/2024/CVE-2024-3234.yaml -u https://target.example.com

Related Vulnerabilities

MEDIUM CVE-2023-34094 5.3

ChuanhuChatGPT: config exposure leaks API keys

Same package: chuanhuchatgpt
UNKNOWN CVE-2024-10707

ChuanhuChatGPT: path traversal exposes server files unauthed

Same package: chuanhuchatgpt
UNKNOWN CVE-2024-10650

ChuanhuChatGPT: DoS via multipart payload exhaustion

Same package: chuanhuchatgpt
CRITICAL CVE-2025-53767 10.0

Azure OpenAI: SSRF EoP, no auth required (CVSS 10)

Same attack type: Data Extraction
CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same attack type: Data Extraction
Back to Threat Feed