Cyber Resilience

CVE-2024-38514

High

Published: 28 June 2024

Published
28 June 2024
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.7111 98.7th percentile
Risk Priority 57 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-38514 is a high-severity SSRF (CWE-918) vulnerability. Its CVSS base score is 7.4 (High).

Operationally, ranked in the top 1.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

NextChat, a cross-platform ChatGPT/Gemini user interface, contains a server-side request forgery vulnerability in its WebDAV API endpoint. The flaw stems from missing validation of the endpoint GET parameter, allowing an attacker to supply arbitrary URLs. This affects all versions prior to the patch released in 2.12.4 and is tracked as CWE-918 with a CVSS 3.1 score of 7.4.

An unauthenticated remote attacker can exploit the issue over the network to force the NextChat instance to issue HTTPS requests using the MKCOL, PUT, and GET methods against internal or external targets. The same vector can also be used to deliver malicious payloads that execute arbitrary JavaScript in the browsers of other NextChat users who interact with the affected endpoint.

The official GitHub Security Advisory GHSA-gph5-rx77-3pjg and the associated commit dad122199a85c2f12277593973e1784b212adf5e confirm that the vulnerability is resolved in version 2.12.4; administrators are advised to upgrade immediately and to restrict or monitor access to the WebDAV API until the update is applied.

The EPSS score has reached a peak of 0.7256 with a current value of 0.7111, indicating sustained exploitation interest after disclosure.

EU & UK References

Vulnerability details

NextChat is a cross-platform ChatGPT/Gemini UI. There is a Server-Side Request Forgery (SSRF) vulnerability due to a lack of validation of the `endpoint` GET parameter on the WebDav API endpoint. This SSRF can be used to perform arbitrary HTTPS request…

more

from the vulnerable instance (MKCOL, PUT and GET methods supported), or to target NextChat users and make them execute arbitrary JavaScript code in their browser. This vulnerability has been patched in version 2.12.4.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-918

Penetration testing attempts server-side requests to internal resources, identifying SSRF weaknesses for remediation.

addresses: CWE-918

Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact.

addresses: CWE-918

Validates server-side URLs and resource references to block SSRF attempts.

addresses: CWE-918

Detects server-side request forgery through monitoring of unexpected outbound connections.

References