cnvd - cnvd-2025-06185

CNVD-2025-06185

Vulnerability from cnvd - Published: 2025-03-31

Title

ChuanhuChatGPT拒绝服务漏洞

Description

ChuanhuChatGPT是一款应用程序，为ChatGPT等多种LLM提供了一个轻快好用的Web图形界面和众多附加功能。 ChuanhuChatGPT 20240918版本存在拒绝服务漏洞，攻击者可利用此漏洞通过发送特定格式的数据使系统持续处理字符，导致服务长时间不可用。

Severity

高

Formal description

厂商尚未提供漏洞修复方案，请关注厂商主页更新： https://huntr.com/bounties/f820371d-a878-44bf-b1fd-2d837dd58eb4

Reference

https://huntr.com/bounties/f820371d-a878-44bf-b1fd-2d837dd58eb4

Impacted products

Name
ChuanhuChatGPT ChuanhuChatGPT 20240918

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2024-10650",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2024-10650"
    }
  },
  "description": "ChuanhuChatGPT\u662f\u4e00\u6b3e\u5e94\u7528\u7a0b\u5e8f\uff0c\u4e3aChatGPT\u7b49\u591a\u79cdLLM\u63d0\u4f9b\u4e86\u4e00\u4e2a\u8f7b\u5feb\u597d\u7528\u7684Web\u56fe\u5f62\u754c\u9762\u548c\u4f17\u591a\u9644\u52a0\u529f\u80fd\u3002\n\nChuanhuChatGPT 20240918\u7248\u672c\u5b58\u5728\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u6b64\u6f0f\u6d1e\u901a\u8fc7\u53d1\u9001\u7279\u5b9a\u683c\u5f0f\u7684\u6570\u636e\u4f7f\u7cfb\u7edf\u6301\u7eed\u5904\u7406\u5b57\u7b26\uff0c\u5bfc\u81f4\u670d\u52a1\u957f\u65f6\u95f4\u4e0d\u53ef\u7528\u3002",
  "formalWay": "\u5382\u5546\u5c1a\u672a\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u590d\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u66f4\u65b0\uff1a\r\nhttps://huntr.com/bounties/f820371d-a878-44bf-b1fd-2d837dd58eb4",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2025-06185",
  "openTime": "2025-03-31",
  "products": {
    "product": "ChuanhuChatGPT ChuanhuChatGPT 20240918"
  },
  "referenceLink": "https://huntr.com/bounties/f820371d-a878-44bf-b1fd-2d837dd58eb4",
  "serverity": "\u9ad8",
  "submitTime": "2025-03-27",
  "title": "ChuanhuChatGPT\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e"
}

CVE-2024-10650 (GCVE-0-2024-10650)

Vulnerability from cvelistv5 – Published: 2025-03-20 10:11 – Updated: 2025-10-15 12:49

Summary

An unauthenticated Denial of Service (DoS) vulnerability was identified in ChuanhuChatGPT version 20240918, which could be exploited by sending large data payloads using a multipart boundary. Although a patch was applied for CVE-2024-7807, the issue can still be exploited by sending data in groups with 10 characters in a line, with multiple lines. This can cause the system to continuously process these characters, resulting in prolonged unavailability of the service. The exploitation now requires low privilege if authentication is enabled due to a version upgrade in Gradio.

Severity ?

7.5 (High)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-770 - Allocation of Resources Without Limits or Throttling

Assigner

@huntr_ai

References

URL

Tags

https://huntr.com/bounties/f820371d-a878-44bf-b1f…

Impacted products

	Vendor	Product	Version
	gaizhenbiao	gaizhenbiao/chuanhuchatgpt	Affected: unspecified , ≤ latest (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-10650",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-20T13:02:10.627526Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-20T13:02:28.754Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://huntr.com/bounties/f820371d-a878-44bf-b1fd-2d837dd58eb4"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "gaizhenbiao/chuanhuchatgpt",
          "vendor": "gaizhenbiao",
          "versions": [
            {
              "lessThanOrEqual": "latest",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An unauthenticated Denial of Service (DoS) vulnerability was identified in ChuanhuChatGPT version 20240918, which could be exploited by sending large data payloads using a multipart boundary. Although a patch was applied for CVE-2024-7807, the issue can still be exploited by sending data in groups with 10 characters in a line, with multiple lines. This can cause the system to continuously process these characters, resulting in prolonged unavailability of the service. The exploitation now requires low privilege if authentication is enabled due to a version upgrade in Gradio."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-15T12:49:24.004Z",
        "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "shortName": "@huntr_ai"
      },
      "references": [
        {
          "url": "https://huntr.com/bounties/f820371d-a878-44bf-b1fd-2d837dd58eb4"
        }
      ],
      "source": {
        "advisory": "f820371d-a878-44bf-b1fd-2d837dd58eb4",
        "discovery": "EXTERNAL"
      },
      "title": "Denial of Service (DoS) in gaizhenbiao/chuanhuchatgpt"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
    "assignerShortName": "@huntr_ai",
    "cveId": "CVE-2024-10650",
    "datePublished": "2025-03-20T10:11:29.258Z",
    "dateReserved": "2024-10-31T21:49:09.971Z",
    "dateUpdated": "2025-10-15T12:49:24.004Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2025-06185

CVE-2024-10650 (GCVE-0-2024-10650)

Tags

Sightings

Nomenclature