CVE-2024-9216
Published: 20 March 2025
Summary
CVE-2024-9216 is a high-severity Missing Critical Step in Authentication (CWE-304) vulnerability in Gaizhenbiao Chuanhuchatgpt. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-6872
Vulnerability details
An authentication bypass vulnerability exists in gaizhenbiao/ChuanhuChatGPT, as of commit 3856d4f, allowing any user to read and delete other users' chat history. The vulnerability arises because the username is provided via an HTTP request from the client side, rather than…
more
being read from a secure source like a cookie. This allows an attacker to pass another user's username to the get_model function, thereby gaining unauthorized access to that user's chat history.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authentication bypass in public-facing web app (T1190) allows unauthorized access to other users' chat history (collection from messaging applications, T1213.005) and deletion of chat history files (T1070.004).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Ensures the authentication process is followed for non-organizational users, avoiding missing critical steps.