CVE-2024-8613
Published: 20 March 2025
Summary
CVE-2024-8613 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Gaizhenbiao Chuanhuchatgpt. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 48.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Privacy and Disclosure risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for logical access, directly addressing the lack of access control mechanisms that allowed unauthorized access to other users' chat histories.
Provides capability for access control decisions based on user privileges, mitigating bypasses due to improper session data handling.
Employs least privilege to limit low-privileged users from accessing, copying, or deleting other users' sensitive chat histories.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables exploitation of public-facing application (T1190) for unauthorized collection of chat histories from a messaging application (T1213.005) and data destruction via deletion (T1485).
NVD Description
A vulnerability in gaizhenbiao/chuanhuchatgpt version 20240802 allows attackers to access, copy, and delete other users' chat histories. This issue arises due to improper handling of session data and lack of access control mechanisms, enabling attackers to view and manipulate chat…
more
histories of other users.
Deeper analysisAI
CVE-2024-8613 is a vulnerability in gaizhenbiao/chuanhuchatgpt version 20240802 that enables attackers to access, copy, and delete other users' chat histories. The issue stems from improper handling of session data combined with a lack of access control mechanisms, allowing unauthorized viewing and manipulation of chat histories belonging to other users. It has been assigned a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-639.
The vulnerability can be exploited by attackers who have low privileges, such as authenticated users on the system, over a network connection with low attack complexity and no requirement for user interaction. Successful exploitation grants high-impact access to sensitive chat history data, enabling the attacker to read confidential conversations (high confidentiality impact), modify or copy them (high integrity impact), and delete them (high availability impact).
Advisories point to a fix via a commit in the project's GitHub repository at https://github.com/gaizhenbiao/chuanhuchatgpt/commit/526c615c437377ee9c71f866fd0f19011910f705, with additional details and a bounty report available on Huntr at https://huntr.com/bounties/76258774-b011-4044-9c3d-c2609b1cbd29. Security practitioners should update to a patched version to mitigate the risks.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Enterprise AI Assistants
- Risk Domain
- Privacy and Disclosure
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- chuanhuchatgpt is a self-hosted web-based AI chat interface (ChatGPT-like), functioning as an enterprise-style AI assistant platform, with the vulnerability in its user session and access controls for chat histories.