CVE-2024-38514
📋 TL;DR
This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in NextChat's WebDav API endpoint. Attackers can exploit it by manipulating the 'endpoint' GET parameter to make arbitrary HTTPS requests from the vulnerable server or target users with malicious JavaScript. All NextChat instances running versions before 2.12.4 are affected.
💻 Affected Systems
- NextChat (ChatGPT-Next-Web)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise via internal service enumeration and exploitation, data exfiltration, or using the server as a proxy for attacks against other systems.
Likely Case
Internal network reconnaissance, credential harvesting from metadata services, or delivering malicious JavaScript to NextChat users.
If Mitigated
Limited to external resource probing if proper network segmentation and input validation are in place.
🎯 Exploit Status
Exploitation requires only HTTP requests to the vulnerable endpoint with crafted parameters.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.12.4
Vendor Advisory: https://github.com/ChatGPTNextWeb/ChatGPT-Next-Web/security/advisories/GHSA-gph5-rx77-3pjg
Restart Required: Yes
Instructions:
1. Update NextChat to version 2.12.4 or later. 2. Restart the NextChat service. 3. Verify the update by checking the version.
🔧 Temporary Workarounds
Disable WebDav API
allTemporarily disable the vulnerable WebDav API endpoint if immediate patching isn't possible.
Modify NextChat configuration to disable WebDav functionality or block access to /api/webdav/* endpoints
Network Access Control
linuxRestrict access to the WebDav API endpoint using firewall rules or web server configuration.
iptables -A INPUT -p tcp --dport [NextChat_PORT] -m string --string "/api/webdav" --algo bm -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to limit the server's ability to reach internal resources.
- Deploy a Web Application Firewall (WAF) with SSRF protection rules to block malicious requests.
🔍 How to Verify
Check if Vulnerable:
Check if NextChat version is below 2.12.4 and test by sending a request to /api/webdav with a crafted 'endpoint' parameter pointing to an external service.Check Version:
Check the NextChat interface or application logs for version information, or inspect package.json in the installation directory.Verify Fix Applied:
Confirm version is 2.12.4 or higher and retest the SSRF payload; it should be rejected or sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual requests to /api/webdav endpoint with external URLs in parameters
- Outbound HTTPS requests from NextChat server to unexpected destinations
Network Indicators:
- HTTP requests from NextChat server to internal services (like metadata endpoints) or external domains not typically accessed
SIEM Query:
source="nextchat.logs" AND uri_path="/api/webdav" AND (query_parameter="endpoint" AND value CONTAINS "http")🔗 References
- https://github.com/ChatGPTNextWeb/ChatGPT-Next-Web/commit/dad122199a85c2f12277593973e1784b212adf5e
- https://github.com/ChatGPTNextWeb/ChatGPT-Next-Web/security/advisories/GHSA-gph5-rx77-3pjg
- https://github.com/ChatGPTNextWeb/ChatGPT-Next-Web/commit/dad122199a85c2f12277593973e1784b212adf5e
- https://github.com/ChatGPTNextWeb/ChatGPT-Next-Web/security/advisories/GHSA-gph5-rx77-3pjg
