CVE-2025-68492 — MEDIUM (CVSS 4.2) AI Security Vulnerability

Q: Is CVE-2025-68492 actively exploited?

No confirmed active exploitation of CVE-2025-68492 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2025-68492?

1. PATCH: Upgrade all Chainlit instances to 2.8.5+ immediately—the fix is available and straightforward. 2. AUDIT: Query access logs for thread reads where the requesting user does not match thread owner; flag anomalous enumeration patterns. 3. ISOLATE: If patching is delayed, restrict Chainlit behind VPN or add WAF rules to block cross-user thread ID enumeration attempts. 4. DATA MINIMIZATION: Review what sensitive content is persisted in Chainlit threads—avoid storing API keys, PII, or system prompts in thread history. 5. DETECT: Implement alerting on thread access where session user differs from thread owner at the application layer.

Q: What systems are affected by CVE-2025-68492?

This vulnerability affects the following AI/ML architecture patterns: LLM chat interfaces, agent frameworks, multi-user AI applications, RAG pipelines, conversational AI platforms.

Q: What is the CVSS score for CVE-2025-68492?

CVE-2025-68492 has a CVSS v3.1 base score of 4.2 (MEDIUM). The EPSS exploitation probability is 0.01%.

CISO Take

Chainlit deployments running versions prior to 2.8.5 expose an authorization bypass that lets any authenticated user read other users' AI conversation threads or hijack thread ownership. Patch immediately to 2.8.5—Chainlit threads routinely contain sensitive LLM prompts, business context, and RAG-retrieved data that users assume is private. Audit all Chainlit instances across your AI stack, including internal copilots and customer-facing chat interfaces.

Risk Assessment

Medium severity by CVSS, but contextually elevated for AI deployments. The AC:H rating reflects implementation-specific complexity; in practice, IDOR-style thread ID enumeration is low-effort once an attacker holds any valid account. Exposure amplifies in multi-tenant or internal AI assistant deployments where thread data contains proprietary system prompts, customer PII, or embedded business intelligence. Low EPSS (0.00014) and absence from KEV suggest no active exploitation, but the fix is trivial—patching cost is near-zero versus potential data exposure.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
chainlit	pip	< 2.8.5	`2.8.5`
12.1K 39 dependents Pushed 15d ago 100% patched ~7d to patch Full package profile →

Do you use chainlit? You're affected.

Severity & Risk

CVSS 3.1

4.2 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 2% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC High

PR Low

UI None

S Unchanged

C Low

I Low

A None

Recommended Action

5 steps

PATCH

Upgrade all Chainlit instances to 2.8.5+ immediately—the fix is available and straightforward.
AUDIT

Query access logs for thread reads where the requesting user does not match thread owner; flag anomalous enumeration patterns.
ISOLATE

If patching is delayed, restrict Chainlit behind VPN or add WAF rules to block cross-user thread ID enumeration attempts.
DATA MINIMIZATION

Review what sensitive content is persisted in Chainlit threads—avoid storing API keys, PII, or system prompts in thread history.
DETECT

Implement alerting on thread access where session user differs from thread owner at the application layer.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Auth Bypass Data Leakage Framework Agent AML.T0012 - Valid Accounts AML.T0036 - Data from Information Repositories AML.T0040 - AI Model Inference API Access AML.T0049 - Exploit Public-Facing Application AML.T0057 - LLM Data Leakage AML.T0080.001 - Thread AML.T0085 - Data from AI Services

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system Article 10 - Data and data governance

ISO 42001

A.6.1.4 - AI system access control A.6.2.6 - Access to AI system resources

NIST AI RMF

GOVERN-1.2 - Accountability structures are in place MANAGE 2.4 - Residual risks and treatment

OWASP LLM Top 10

LLM02 - Sensitive Information Disclosure LLM02:2025 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2025-68492?

Chainlit deployments running versions prior to 2.8.5 expose an authorization bypass that lets any authenticated user read other users' AI conversation threads or hijack thread ownership. Patch immediately to 2.8.5—Chainlit threads routinely contain sensitive LLM prompts, business context, and RAG-retrieved data that users assume is private. Audit all Chainlit instances across your AI stack, including internal copilots and customer-facing chat interfaces.

Is CVE-2025-68492 actively exploited?

No confirmed active exploitation of CVE-2025-68492 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-68492?

1. PATCH: Upgrade all Chainlit instances to 2.8.5+ immediately—the fix is available and straightforward. 2. AUDIT: Query access logs for thread reads where the requesting user does not match thread owner; flag anomalous enumeration patterns. 3. ISOLATE: If patching is delayed, restrict Chainlit behind VPN or add WAF rules to block cross-user thread ID enumeration attempts. 4. DATA MINIMIZATION: Review what sensitive content is persisted in Chainlit threads—avoid storing API keys, PII, or system prompts in thread history. 5. DETECT: Implement alerting on thread access where session user differs from thread owner at the application layer.

What systems are affected by CVE-2025-68492?

This vulnerability affects the following AI/ML architecture patterns: LLM chat interfaces, agent frameworks, multi-user AI applications, RAG pipelines, conversational AI platforms.

What is the CVSS score for CVE-2025-68492?

CVE-2025-68492 has a CVSS v3.1 base score of 4.2 (MEDIUM). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

Chainlit versions prior to 2.8.5 contain an authorization bypass through user-controlled key vulnerability. If this vulnerability is exploited, threads may be viewed or thread ownership may be obtained by an attacker who can log in to the product.

Exploitation Scenario

An attacker creates a low-privilege account on a multi-user Chainlit deployment (e.g., an internal AI assistant or customer-facing LLM product). They observe that thread IDs in API requests to /thread/{id} are sequential, UUID-based but discoverable, or leaked via other endpoints. By iterating or guessing thread IDs with their authenticated session, they read conversation histories of other users—potentially exposing executive AI assistant sessions containing M&A context, HR queries, or embedded customer data. In a more targeted attack, the adversary obtains ownership of a specific high-value thread and injects adversarial context before the victim resumes their session, covertly manipulating the LLM's behavior through thread-context poisoning without any model access.