Login Sign Up

CVE-2024-10955

6.5 MEDIUM
Denial of Service

📋 TL;DR

This CVE describes a Regular Expression Denial of Service (ReDoS) vulnerability in gaizhenbiao/chuanhuchatgpt where a regex pattern used to parse user input can be exploited to cause excessive CPU consumption. Attackers can upload specially crafted JSON payloads to trigger polynomial-time regex matching, leading to server DoS. Anyone running vulnerable versions of this software is affected.

💻 Affected Systems

Products:
  • gaizhenbiao/chuanhuchatgpt
Versions: Versions up to and including commit 20b2e02
Operating Systems: All platforms running Python
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in the default regex pattern used for input parsing. Any deployment using the vulnerable code is affected.

📦 What is this software?

Chuanhuchatgpt by Gaizhenbiao

View all CVEs affecting Chuanhuchatgpt →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server unavailability due to 100% CPU consumption, affecting all services on the same host and potentially causing cascading failures.

🟠

Likely Case

Temporary service degradation or downtime for the affected application, requiring manual intervention to restart services.

🟢

If Mitigated

Minimal impact with proper input validation, rate limiting, and monitoring in place to detect and block malicious payloads.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending a malicious JSON payload to the vulnerable endpoint. The vulnerability is publicly documented with proof-of-concept available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after commit 20b2e02

Vendor Advisory: https://huntr.com/bounties/8291f8d0-5060-47e7-9986-1f411310fb7b

Restart Required: Yes

Instructions:

1. Update to the latest version of gaizhenbiao/chuanhuchatgpt. 2. Verify the regex pattern has been fixed. 3. Restart the application service.

🔧 Temporary Workarounds

Implement Input Validation

all

Add input validation to reject or sanitize payloads containing excessive angle brackets before regex processing.

Rate Limiting

all

Implement rate limiting on endpoints that accept JSON payloads to prevent mass exploitation.

🧯 If You Can't Patch

  • Implement WAF rules to block payloads with excessive angle brackets or unusual patterns
  • Monitor CPU usage and set alerts for sustained high CPU consumption

🔍 How to Verify

Check if Vulnerable:

Check if your code uses the regex pattern r'<[^>]+>' for parsing user input in the affected component.

Check Version:

git log --oneline | head -5

Verify Fix Applied:

Verify the regex pattern has been updated to a more efficient implementation or removed from user input processing.

📡 Detection & Monitoring

Log Indicators:

  • Unusually large JSON payloads
  • Sustained high CPU usage logs
  • Request timeouts on specific endpoints

Network Indicators:

  • Multiple requests with similar payload patterns
  • Unusual traffic spikes to JSON endpoints

SIEM Query:

source="application.logs" AND ("CPU 100%" OR "timeout" OR "large payload")

📊 Metadata

CVE ID: CVE-2024-10955
CVSS v3 Score: 6.5 (MEDIUM)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-1333
EPSS Score: 0.12% exploit probability (30.8th percentile)
Published: March 20, 2025
Last Updated: October 15, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-10955, you might also want to check these:

CVE-2023-29487 9.1

This CVE describes a denial-of-service vulnerability in Heimdal Thor agent's Threat To Process Corre...

Same vulnerability type (CWE-1333)
CVE-2025-62484 8.1

A regular expression complexity vulnerability in Zoom Workplace Clients allows unauthenticated attac...

Same vulnerability type (CWE-1333)
CVE-2024-4148 7.5

A Regular Expression Denial of Service (ReDoS) vulnerability in lunary-ai/lunary version 1.2.10 allo...

Same vulnerability type (CWE-1333)