CVE-2024-3234
Published: 06 June 2024
Summary
CVE-2024-3234 is a critical-severity Path Traversal (CWE-22) vulnerability in Gaizhenbiao Chuanhuchatgpt. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as APIs and Models; in the Supply Chain and Deployment risk domain; MITRE ATLAS techniques in scope: AML.T0039, AI Model Inference API Access (AML.T0040), Obtain Capabilities (AML.T0016).
Deeper analysis
The gaizhenbiao/chuanhuchatgpt application is vulnerable to path traversal due to its reliance on an outdated version of the gradio component that is affected by CVE-2023-51449. Although the application intends to restrict user access to resources inside the web_assets folder, the gradio flaw permits bypass of those controls. The issue impacts all versions prior to the fix released on 20240305 and is tracked as CWE-22 with a CVSS 3.1 score of 9.8.
Unauthenticated remote attackers can exploit the vulnerability over the network without user interaction to read arbitrary files on the server, including config.json that stores API keys. Successful exploitation grants full read access to sensitive configuration data and can lead to further compromise of confidentiality, integrity, and availability.
The maintainers resolved the exposure in commit 6b8f7db347b390f6f8bd07ea2a4ef01a47382f00. Details of the flaw and remediation are documented in the associated huntr.com bounty report. The CVE carries a high EPSS score of 0.84 (peak 0.86), indicating substantial exploitation likelihood.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-31826
Vulnerability details
The gaizhenbiao/chuanhuchatgpt application is vulnerable to a path traversal attack due to its use of an outdated gradio component. The application is designed to restrict user access to resources within the `web_assets` folder. However, the outdated version of gradio it…
more
employs is susceptible to path traversal, as identified in CVE-2023-51449. This vulnerability allows unauthorized users to bypass the intended restrictions and access sensitive files, such as `config.json`, which contains API keys. The issue affects the latest version of chuanhuchatgpt prior to the fixed version released on 20240305.
- CWE(s)
AI Security AnalysisAI
- AI Category
- APIs and Models
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- chuanhuchatgpt is a Gradio-based web UI application for ChatGPT/LLM interactions, classified as an other AI platform due to its role in hosting AI chat interfaces.
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal vulnerability (CVE-2024-3234) in public-facing web app enables exploitation (T1190), file/directory discovery (T1083), collection of data from local system including config files (T1005), and access to unsecured credentials in files like API keys (T1552.001).
MITRE ATLAS TechniquesAI
MITRE ATLAS techniques
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.