CVE-2024-7962
Published: 29 October 2024
Summary
CVE-2024-7962 is a high-severity Path Traversal: '\..\filename' (CWE-29) vulnerability in Gaizhenbiao Chuanhuchatgpt. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 38.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Privacy and Disclosure risk domain; MITRE ATLAS techniques in scope: Obtain Capabilities (AML.T0016), Poison Training Data (AML.T0020), Establish Accounts (AML.T0021).
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-0022
Vulnerability details
An arbitrary file read vulnerability exists in gaizhenbiao/chuanhuchatgpt version 20240628 due to insufficient validation when loading prompt template files. An attacker can read any file that matches specific criteria using an absolute path. The file must not have a .json…
more
extension and, except for the first line, every other line must contain commas. This vulnerability allows reading parts of format-compliant files, including code and log files, which may contain highly sensitive information such as account credentials.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Enterprise AI Assistants
- Risk Domain
- Privacy and Disclosure
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- chuanhuchatgpt is a self-hosted, open-source ChatGPT-like AI chat platform (web UI for LLM interactions), fitting the Enterprise AI Assistants category as it provides an assistant interface for generative AI usage.
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file read in public-facing web app (T1190) enables collection of local system data (T1005), including credentials in files (T1081, T1552.001) and logs (T1654).
MITRE ATLAS TechniquesAI
MITRE ATLAS techniques
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.