CVE-2024-6090
Published: 27 June 2024
Summary
CVE-2024-6090 is a high-severity Path Traversal (CWE-22) vulnerability in Gaizhenbiao Chuanhuchatgpt. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Services File Permissions Weakness (T1574.010); ranked at the 35.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Data-Related Vulnerabilities risk domain; MITRE ATLAS techniques in scope: External Harms (AML.T0048).
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-47245
Vulnerability details
A path traversal vulnerability exists in gaizhenbiao/chuanhuchatgpt version 20240410, allowing any user to delete other users' chat histories. This vulnerability can also be exploited to delete any files ending in `.json` on the target system, leading to a denial of…
more
service as users are unable to authenticate.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Enterprise AI Assistants
- Risk Domain
- Data-Related Vulnerabilities
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- chuanhuchatgpt is a self-hosted web UI for ChatGPT-like LLM interactions, functioning as an enterprise or personal AI assistant platform, with the vulnerability affecting chat histories in this context.
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal vulnerability enables unauthorized deletion of .json files (chat histories and auth files), exploiting file system permissions (T1044), file deletion (T1070.004), data destruction (T1485), and application DoS via exploitation (T1499.004).
MITRE ATLAS TechniquesAI
MITRE ATLAS techniques
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.