CVE-2024-6038

June 27, 2024, 7:25 p.m.

Tags

security@huntr.dev
2024-06-27
CVE-2024-6038
CWE-625

CVSS Score

7.5 / 10

Product(s) Impacted

gaizhenbiao/chuanhuchatgpt

  • latest version

Description

A Regular Expression Denial of Service (ReDoS) vulnerability exists in the latest version of gaizhenbiao/chuanhuchatgpt. The vulnerability is located in the filter_history function within the utils.py module. This function takes a user-provided keyword and attempts to match it against chat history filenames using a regular expression search. Due to the lack of sanitization or validation of the keyword parameter, an attacker can inject a specially crafted regular expression, leading to a denial of service condition. This can cause severe degradation of service performance and potential system unavailability.

Weaknesses

CWE-625
Permissive Regular Expression

The product uses a regular expression that does not sufficiently restrict the set of allowed values.

CWE ID: 625

Date

Published: June 27, 2024, 7:15 p.m.

Last Modified: June 27, 2024, 7:25 p.m.

Status : Awaiting Analysis

CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.

More info

Source

security@huntr.dev

CVSS Data

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

Base Score
7.5
Exploitability Score
3.9
Impact Score
3.6
Base Severity
HIGH
CVSS Vector String

The CVSS vector string provides an in-depth view of the vulnerability metrics.

View Vector String

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

https://huntr.com/bounties/d41cca0a-82bc-4cbf-a52a-928d304fb42d
security@huntr.dev