CVE-2025-45150 — CRITICAL (CVSS 9.8) AI Security Vulnerability

CISO Take

CVE-2025-45150 is a CVSS 9.8 unauthenticated file disclosure in LangChain-ChatGLM-Webui — any attacker can craft an HTTP request to read and exfiltrate arbitrary server files including API keys, model configs, and training data. No patch is available; take all exposed instances offline immediately and assume credential compromise if the service was internet-accessible. Rotate every API key and secret stored on the host.

Risk Assessment

Exploitability is maximum: network-accessible, zero privileges required, zero user interaction. CWE-732 (incorrect permission assignment for critical resource) means the entire filesystem accessible to the web process is exposed. In AI deployments this routinely includes LLM provider API keys (OpenAI, Anthropic), HuggingFace tokens, database credentials, and proprietary training data. The absence of a patch combined with trivial exploitation (crafted HTTP request) places this in the immediate-action tier for any organization running this component.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
langchain-chatglm-webui	pip	—	No patch
135.7K OpenSSF 6.5 2.6K dependents Pushed 7d ago 17% patched ~256d to patch Full package profile →

Do you use langchain-chatglm-webui? You're affected.

Severity & Risk

CVSS 3.1

9.8 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 26% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

Recommended Action

6 steps

IMMEDIATE

Take all exposed instances offline or block inbound access via firewall/WAF.
ASSUME BREACH

Treat all credentials on the host as compromised — rotate LLM API keys (OpenAI, Anthropic, HuggingFace), database passwords, and cloud service credentials.
AUDIT LOGS

Review web server access logs for crafted requests with path traversal patterns (../, %2e%2e, /etc/passwd, .env, config.json).
NO PATCH

No upstream fix is referenced; do not redeploy until a code review confirms permission logic is corrected and file access is properly scoped.
NETWORK CONTROLS

If redeployment is required, restrict access to authenticated VPN or internal network only, never expose directly to the internet.
DETECTION RULE

Alert on HTTP requests containing path traversal sequences or sensitive filenames in web application logs.

CISA SSVC Assessment

Decision Track*

Exploitation none

Automatable Yes

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Auth Bypass Framework API AML.T0025 - Exfiltration via Cyber Means AML.T0035 - AI Artifact Collection AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.9.4 - AI system security

NIST AI RMF

MANAGE-2.2 - Mechanisms to maintain AI systems and manage AI risks are in place

OWASP LLM Top 10

LLM02:2025 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2025-45150?

CVE-2025-45150 is a CVSS 9.8 unauthenticated file disclosure in LangChain-ChatGLM-Webui — any attacker can craft an HTTP request to read and exfiltrate arbitrary server files including API keys, model configs, and training data. No patch is available; take all exposed instances offline immediately and assume credential compromise if the service was internet-accessible. Rotate every API key and secret stored on the host.

Is CVE-2025-45150 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-45150, increasing the risk of exploitation.

How to fix CVE-2025-45150?

1. IMMEDIATE: Take all exposed instances offline or block inbound access via firewall/WAF. 2. ASSUME BREACH: Treat all credentials on the host as compromised — rotate LLM API keys (OpenAI, Anthropic, HuggingFace), database passwords, and cloud service credentials. 3. AUDIT LOGS: Review web server access logs for crafted requests with path traversal patterns (../, %2e%2e, /etc/passwd, .env, config.json). 4. NO PATCH: No upstream fix is referenced; do not redeploy until a code review confirms permission logic is corrected and file access is properly scoped. 5. NETWORK CONTROLS: If redeployment is required, restrict access to authenticated VPN or internal network only, never expose directly to the internet. 6. DETECTION RULE: Alert on HTTP requests containing path traversal sequences or sensitive filenames in web application logs.

What systems are affected by CVE-2025-45150?

This vulnerability affects the following AI/ML architecture patterns: LLM web interfaces, agent frameworks, model serving, RAG pipelines.

What is the CVSS score for CVE-2025-45150?

CVE-2025-45150 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.10%.

Technical Details

NVD Description

Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive files via supplying a crafted request.

Exploitation Scenario

An adversary scans for exposed ChatGLM-Webui instances via Shodan or FOFA using service banners or default UI fingerprints. Upon finding an exposed instance, they craft HTTP GET requests targeting sensitive file paths (e.g., requests referencing ../../.env, ../../config.json, or /proc/self/environ) by exploiting the insecure permission assignment — no authentication token or session is required. Within minutes they extract LLM API keys, database connection strings, and potentially training data files. These credentials are then leveraged to pivot: abusing LLM API keys for cost harvesting or exfiltrating proprietary model artifacts, or accessing connected databases for further data theft. The entire attack chain requires no AI/ML knowledge and can be scripted trivially.