Cyber Resilience

CVE-2024-9216

HighPublic PoC

Published: 20 March 2025

Published
20 March 2025
Modified
01 August 2025
KEV Added
Patch
CVSS Score v3 8.1 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0017 38.5th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-9216 is a high-severity Missing Critical Step in Authentication (CWE-304) vulnerability in Gaizhenbiao Chuanhuchatgpt. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

An authentication bypass vulnerability exists in gaizhenbiao/ChuanhuChatGPT, as of commit 3856d4f, allowing any user to read and delete other users' chat history. The vulnerability arises because the username is provided via an HTTP request from the client side, rather than…

more

being read from a secure source like a cookie. This allows an attacker to pass another user's username to the get_model function, thereby gaining unauthorized access to that user's chat history.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213.005 Messaging Applications Collection
Adversaries may leverage chat and messaging applications, such as Microsoft Teams, Google Chat, and Slack, to mine valuable information.
T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
Why these techniques?

Authentication bypass in public-facing web app (T1190) allows unauthorized access to other users' chat history (collection from messaging applications, T1213.005) and deletion of chat history files (T1070.004).

Affected Assets

gaizhenbiao
chuanhuchatgpt
2024-12-04

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-304

Ensures the authentication process is followed for non-organizational users, avoiding missing critical steps.

References