CVE-2024-38514
published 2024-06-28CVE-2024-38514: NextChat is a cross-platform ChatGPT/Gemini UI. There is a Server-Side Request Forgery (SSRF) vulnerability due to a lack of validation of the `endpoint` GET…
PriorityP277high7.4CVSS 3.1
AVNACHPRNUINSUCHIHAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
2.19%
80.1th percentile
NextChat is a cross-platform ChatGPT/Gemini UI. There is a Server-Side Request Forgery (SSRF) vulnerability due to a lack of validation of the `endpoint` GET parameter on the WebDav API endpoint. This SSRF can be used to perform arbitrary HTTPS request from the vulnerable instance (MKCOL, PUT and GET methods supported), or to target NextChat users and make them execute arbitrary JavaScript code in their browser. This vulnerability has been patched in version 2.12.4.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chatgptnextweb | chatgpt-next-web | < 2.12.4 | 2.12.4 |
Detection & IOCsextracted from sources · hover to see the quote
- →The SSRF is triggered via the unvalidated `endpoint` GET parameter on the WebDav API endpoint. Monitor HTTP requests to `/api/webdav/` paths containing an `endpoint` parameter pointing to external or internal hosts. ↗
- →Supported HTTP methods for SSRF abuse are MKCOL, PUT, and GET — monitor for unusual outbound requests using these methods originating from the NextChat server process. ↗
- →Responses from the vulnerable endpoint contain the string `__NEXT_DATA__` in the body — use this as a confirmation matcher when probing for the vulnerability. ↗
- →The vulnerability can also be used to deliver stored/reflected XSS to NextChat users — monitor for JavaScript execution originating from the WebDav API path. ↗
- →Identify exposed NextChat instances via Shodan using the query for title fields matching 'NextChat' or 'ChatGPT Next Web'. ↗
- ·The vulnerability affects NextChat v2.12.3 and earlier; v2.12.4 includes the fix. Ensure version detection is part of triage to avoid false positives on patched instances. ↗
- ·The Nuclei template uses an out-of-band DNS interaction (interactsh) for confirmation — detection in passive/network monitoring contexts requires observing the outbound DNS/HTTPS callback rather than an inline response match. ↗
- ·The SSRF only supports HTTPS outbound requests (not HTTP), which may limit internal network scanning to HTTPS-enabled services. ↗
CVSS provenance
nvdv3.17.4HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
vulncheck7.4HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
NextChat - Server-Side Request Forgery
nuclei·CVSS 7.4
CVE-2024-38514 [HIGH] NextChat - Server-Side Request Forgery
NextChat - Server-Side Request Forgery
NextChat v2.12.3 suffers from a Server-Side Request Forgery (SSRF) and Cross-Site Scripting vulnerability due to a lack of validation of the GET parameter on the WebDav API endpoint.
Template:
id: CVE-2024-38514
info:
name: NextChat - Server-Side Request Forgery
author: DhiyaneshDk
severity: high
description: |
NextChat v2.12.3 suffers from a Server-Side Request Forgery (SSRF) and Cross-Site Scripting vulnerability due to a lack of validation of the GET parameter on the WebDav API endpoint.
impact: |
Unauthenticated attackers can perform SSRF attacks to access internal services, scan internal networks, or exfiltrate sensitive information from systems that should not be accessible externally.
remediation: |
Upgrade to NextChat version 2.12.4 or lat
https://github.com/ChatGPTNextWeb/ChatGPT-Next-Web/commit/dad122199a85c2f12277593973e1784b212adf5ehttps://github.com/ChatGPTNextWeb/ChatGPT-Next-Web/security/advisories/GHSA-gph5-rx77-3pjghttps://github.com/ChatGPTNextWeb/ChatGPT-Next-Web/commit/dad122199a85c2f12277593973e1784b212adf5ehttps://github.com/ChatGPTNextWeb/ChatGPT-Next-Web/security/advisories/GHSA-gph5-rx77-3pjg
2024-06-28
Published
Exploited in the wild