Cyber Resilience

CVE-2024-8613

HighPublic PoC

Published: 20 March 2025

Published
20 March 2025
Modified
15 October 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0025 48.8th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-8613 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Gaizhenbiao Chuanhuchatgpt. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 48.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2024-8613 is a vulnerability in gaizhenbiao/chuanhuchatgpt version 20240802 that enables attackers to access, copy, and delete other users' chat histories. The issue stems from improper handling of session data combined with a lack of access control mechanisms, allowing unauthorized viewing and manipulation of chat histories belonging to other users. It has been assigned a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-639.

The vulnerability can be exploited by attackers who have low privileges, such as authenticated users on the system, over a network connection with low attack complexity and no requirement for user interaction. Successful exploitation grants high-impact access to sensitive chat history data, enabling the attacker to read confidential conversations (high confidentiality impact), modify or copy them (high integrity impact), and delete them (high availability impact).

Advisories point to a fix via a commit in the project's GitHub repository at https://github.com/gaizhenbiao/chuanhuchatgpt/commit/526c615c437377ee9c71f866fd0f19011910f705, with additional details and a bounty report available on Huntr at https://huntr.com/bounties/76258774-b011-4044-9c3d-c2609b1cbd29. Security practitioners should update to a patched version to mitigate the risks.

EU & UK References

Vulnerability details

A vulnerability in gaizhenbiao/chuanhuchatgpt version 20240802 allows attackers to access, copy, and delete other users' chat histories. This issue arises due to improper handling of session data and lack of access control mechanisms, enabling attackers to view and manipulate chat…

more

histories of other users.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213.005 Messaging Applications Collection
Adversaries may leverage chat and messaging applications, such as Microsoft Teams, Google Chat, and Slack, to mine valuable information.
T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
Why these techniques?

Vulnerability enables exploitation of public-facing application (T1190) for unauthorized collection of chat histories from a messaging application (T1213.005) and data destruction via deletion (T1485).

CVEs Like This One

CVE-2024-9617Shared CWE-639
CVE-2026-45671Shared CWE-639
CVE-2026-4896Shared CWE-639
CVE-2026-1375Shared CWE-639
CVE-2026-32097Shared CWE-639
CVE-2024-50693Shared CWE-639
CVE-2025-69394Shared CWE-639
CVE-2026-41471Shared CWE-639
CVE-2025-58402Shared CWE-639
CVE-2025-68051Shared CWE-639

Affected Assets

gaizhenbiao
chuanhuchatgpt
20240802

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for logical access, directly addressing the lack of access control mechanisms that allowed unauthorized access to other users' chat histories.

prevent

Provides capability for access control decisions based on user privileges, mitigating bypasses due to improper session data handling.

prevent

Employs least privilege to limit low-privileged users from accessing, copying, or deleting other users' sensitive chat histories.

References