Cyber Resilience

CVE-2025-2334

MediumPublic PoC

Published: 15 March 2025

Published
15 March 2025
Modified
21 October 2025
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0007 21.7th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2334 is a medium-severity Incorrect Privilege Assignment (CWE-266) vulnerability in 274056675 Springboot-Openai-Chatgpt. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 21.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the Privacy and Disclosure risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2025-2334 is a problematic vulnerability involving improper access controls in the deleteChat function of the Chat History Handler component within the 274056675 springboot-openai-chatgpt project at commit e84f6f5. The issue arises from manipulation of the chatListId argument in the endpoint /api/mjkj-chat/chat/ai/delete/chat. Classified under CWE-266 (Incorrect Privilege Assignment) and CWE-284 (Improper Access Control), it carries a CVSS v3.1 base score of 5.4 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L) and was published on 2025-03-15.

An attacker with low privileges (PR:L) can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By manipulating the chatListId parameter, the attacker can bypass access controls, potentially leading to unauthorized deletion of chat history, resulting in low impacts to integrity (I:L) and availability (A:L) with no confidentiality impact.

Advisories and details are available in references including VulDB entries at https://vuldb.com/?ctiid.299799, https://vuldb.com/?id.299799, and https://vuldb.com/?submit.505688, as well as https://www.cnblogs.com/aibot/p/18732182. The exploit has been publicly disclosed and may be used.

This vulnerability affects a Spring Boot application integrating OpenAI ChatGPT functionality, highlighting access control risks in AI chat history management.

EU & UK References

Vulnerability details

A vulnerability classified as problematic has been found in 274056675 springboot-openai-chatgpt e84f6f5. This affects the function deleteChat of the file /api/mjkj-chat/chat/ai/delete/chat of the component Chat History Handler. The manipulation of the argument chatListId leads to improper access controls. It is…

more

possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
Privacy and Disclosure
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai, chatgpt, openai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

Improper access control (IDOR) in web API allows remote authenticated attackers to delete other users' chat history by manipulating chatListId, enabling exploitation of public-facing application (T1190), remote services (T1210), and privilege escalation (T1068).

CVEs Like This One

CVE-2025-2320Same product: 274056675 Springboot-Openai-Chatgpt
CVE-2025-2322Same product: 274056675 Springboot-Openai-Chatgpt
CVE-2024-13211Shared CWE-266, CWE-284
CVE-2026-2075Shared CWE-266, CWE-284
CVE-2024-13200Shared CWE-266, CWE-284
CVE-2026-9517Shared CWE-266, CWE-284
CVE-2025-2121Shared CWE-266, CWE-284
CVE-2025-2548Shared CWE-266, CWE-284
CVE-2026-4194Shared CWE-266, CWE-284
CVE-2026-9580Shared CWE-266, CWE-284

Affected Assets

274056675
springboot-openai-chatgpt
2024-12-29

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 requires systems to enforce approved access authorizations, directly preventing unauthorized deletion of chat history via chatListId manipulation in the deleteChat function.

prevent

AC-6 implements least privilege to restrict low-privileged (PR:L) users from accessing or deleting chat history not assigned to them, addressing CWE-266 incorrect privilege assignment.

prevent

AC-24 ensures access control decisions verify user ownership of the chatListId parameter before permitting deletion actions in the Chat History Handler.

References