The SSRF flaw in ChatGPT-Next-Web allowed attackers to gain unauthorized access.

Home/Internet Security, Security Advisory, Security Update, vulnerability/The SSRF flaw in ChatGPT-Next-Web allowed attackers to gain unauthorized access.

The SSRF flaw in ChatGPT-Next-Web allowed attackers to gain unauthorized access.

In addition to ChatGPT and Gemini AI, two of the most popular publicly available Artificial Intelligence systems, there are numerous other standalone chatbot applications users can deploy and customize for personal use.

These standalone applications offer the ability to test various AI models and bypass IP block restrictions. Among them, NextChat (ChatGPT-Next-Web) stands out as a popular open-source option on GitHub, boasting over 63K stars and 52K forks.

Furthermore, a Shodan query (“title:NextChat,” “ChatGPT Next Web”) indicates that this chatbot application is primarily deployed in China and the US, with over 7500 exposed instances.

However, this chatbot application is vulnerable to a critical SSRF vulnerability, designated CVE-2023-49785, with a severity level of 9.1 (Critical). As of now, there is no available patch, posing a significant threat to organizations.

ChatGPT-Next-Web SSRF Vulnerability

As reported by Cyber Security News, NextChat is a JavaScript application based on Next.js, with most functionalities implemented as client-side code. The vulnerability was found at the /api/cors endpoint, used for saving client-side chat data to WebDAV users.

An unauthenticated user with access to this application can exploit this endpoint to send arbitrary HTTP requests. This could potentially bypass built-in browser protections and allow users to access cross-domain resources through a server-side endpoint.

An attacker can exploit this vulnerability by appending an internal endpoint to the URL endpoint, granting access to internal HTTP resources.

Furthermore, if the instance is deployed in AWS, attackers can exploit the vulnerability to access AWS cloud metadata. This includes retrieving AWS access keys from an EC2 instance running with IMDSv1 (Instance Metadata Service Version 1) enabled.

Although passing other headers such as Cookie and Content-Type is restricted, there are inventive methods to inject these headers into the HTTP request.

Reflected XSS

An interesting observation is that this endpoint is vulnerable to cross-site scripting (XSS) without the need for another website to initiate the exploit.

This vulnerability arises from the endpoint’s use of the fetch method, which supports the data protocol, enabling XSS to trigger directly on the website.

The XSS exploit can be activated using the following code appended to the URL endpoint:


Decoded: <script>alert(document.domain)</script>

In summary, organizations are advised to avoid exposing this application to the internet. If internet access is necessary, it’s recommended to isolate the application without granting access to other internal resources.

‍Follow Us on: Twitter, InstagramFacebook to get the latest security news!

By | 2024-03-19T03:10:45+05:30 March 12th, 2024|Internet Security, Security Advisory, Security Update, vulnerability|

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!