CVE-2024-38514
Published: 28 June 2024
Summary
CVE-2024-38514 is a high-severity SSRF (CWE-918) vulnerability. Its CVSS base score is 7.4 (High).
Operationally, ranked in the top 1.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
NextChat, a cross-platform ChatGPT/Gemini user interface, contains a server-side request forgery vulnerability in its WebDAV API endpoint. The flaw stems from missing validation of the endpoint GET parameter, allowing an attacker to supply arbitrary URLs. This affects all versions prior to the patch released in 2.12.4 and is tracked as CWE-918 with a CVSS 3.1 score of 7.4.
An unauthenticated remote attacker can exploit the issue over the network to force the NextChat instance to issue HTTPS requests using the MKCOL, PUT, and GET methods against internal or external targets. The same vector can also be used to deliver malicious payloads that execute arbitrary JavaScript in the browsers of other NextChat users who interact with the affected endpoint.
The official GitHub Security Advisory GHSA-gph5-rx77-3pjg and the associated commit dad122199a85c2f12277593973e1784b212adf5e confirm that the vulnerability is resolved in version 2.12.4; administrators are advised to upgrade immediately and to restrict or monitor access to the WebDAV API until the update is applied.
The EPSS score has reached a peak of 0.7256 with a current value of 0.7111, indicating sustained exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-37385
Vulnerability details
NextChat is a cross-platform ChatGPT/Gemini UI. There is a Server-Side Request Forgery (SSRF) vulnerability due to a lack of validation of the `endpoint` GET parameter on the WebDav API endpoint. This SSRF can be used to perform arbitrary HTTPS request…
more
from the vulnerable instance (MKCOL, PUT and GET methods supported), or to target NextChat users and make them execute arbitrary JavaScript code in their browser. This vulnerability has been patched in version 2.12.4.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing attempts server-side requests to internal resources, identifying SSRF weaknesses for remediation.
Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact.
Validates server-side URLs and resource references to block SSRF attempts.
Detects server-side request forgery through monitoring of unexpected outbound connections.