CVE-2024-7962

Name of the Vulnerable Software and Affected Versions: gaizhenbiao/chuanhuchatgpt version 20240628

Description: An arbitrary file read issue exists due to insufficient validation when loading prompt template files. An attacker can read any file that matches specific criteria using an absolute path, provided the file does not have a .json extension and, except for the first line, every other line contains commas. This allows reading parts of format-compliant files, including code and log files, which may contain highly sensitive information such as account credentials.

Recommendations: For gaizhenbiao/chuanhuchatgpt version 20240628, consider restricting access to sensitive files and directories to minimize the risk of exploitation until a patch is available. As a temporary workaround, review and restrict the use of absolute paths in prompt template files to prevent unauthorized file access.