CVE-2024-6090 – A path traversal vulnerability in gaizhenbiao/c... (How to Fix)

Q: What is the severity of CVE-2024-6090?

CVE-2024-6090 has a CVSS score of 7.5 (HIGH). A path traversal vulnerability in gaizhenbiao/chuanhuchatgpt version 20240410 allows any user to delete other users' chat histories and any .json files on the system. This can cause denial of service by preventing user authentication. All users of the affected version are impacted.

📋 TL;DR

A path traversal vulnerability in gaizhenbiao/chuanhuchatgpt version 20240410 allows any user to delete other users' chat histories and any .json files on the system. This can cause denial of service by preventing user authentication. All users of the affected version are impacted.

💻 Affected Systems

Products:

gaizhenbiao/chuanhuchatgpt

Versions: Version 20240410 specifically

Operating Systems: All operating systems running the affected software

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default configuration of version 20240410.

📦 What is this software?

Chuanhuchatgpt by Gaizhenbiao

View all CVEs affecting Chuanhuchatgpt →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through deletion of critical .json files, including configuration and authentication files, leading to permanent data loss and service disruption.

🟠

Likely Case

Unauthorized deletion of chat histories and potential authentication files, causing service disruption and data loss for users.

🟢

If Mitigated

Limited to deletion of non-critical .json files if proper file permissions and input validation are in place.

🌐 Internet-Facing: HIGH - The vulnerability is unauthenticated and can be exploited remotely if the application is exposed to the internet.

🏢 Internal Only: MEDIUM - Internal attackers could exploit this to delete chat histories and cause service disruption.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation details are publicly available through the referenced commit and bounty reports.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in commit 526c615c437377ee9c71f866fd0f19011910f705

Vendor Advisory: https://github.com/gaizhenbiao/chuanhuchatgpt/commit/526c615c437377ee9c71f866fd0f19011910f705

Restart Required: Yes

Instructions:

1. Update to the latest version of chuanhuchatgpt. 2. Apply commit 526c615c437377ee9c71f866fd0f19011910f705. 3. Restart the application service.

🔧 Temporary Workarounds

Restrict file permissions

linux

Set strict file permissions on .json files to prevent deletion by the application user.

chmod 600 *.json
chown root:root *.json

Network isolation

linux

Restrict network access to the application to trusted IPs only.

iptables -A INPUT -p tcp --dport [APP_PORT] -s [TRUSTED_IP] -j ACCEPT
iptables -A INPUT -p tcp --dport [APP_PORT] -j DROP

🧯 If You Can't Patch

Implement strict input validation to reject path traversal sequences in user inputs.
Monitor and alert on deletion of .json files in the application directory.

🔍 How to Verify

Check if Vulnerable:

Check if running version 20240410 of chuanhuchatgpt and test for path traversal by attempting to delete a test .json file using traversal sequences.

Check Version:

Check the application version in the software interface or configuration files.

Verify Fix Applied:

Verify the application version is updated past commit 526c615c and test that path traversal attempts are blocked.

📡 Detection & Monitoring

Log Indicators:

Unusual file deletion events for .json files
HTTP requests containing path traversal sequences like '../'

Network Indicators:

HTTP requests to delete endpoints with suspicious parameters

SIEM Query:

source="application.log" AND ("delete" AND ".json") OR ("../" AND "delete")

📊 Metadata

CVE ID: CVE-2024-6090

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-22

Published: June 27, 2024

Last Updated: October 15, 2025

🔗 References

https://github.com/gaizhenbiao/chuanhuchatgpt/commit/526c615c437377ee9c71f866fd0f19011910f705
https://huntr.com/bounties/bd0f8f89-5c8a-4662-89aa-a6861d84cf4c Exploit,Third Party Advisory
https://huntr.com/bounties/bd0f8f89-5c8a-4662-89aa-a6861d84cf4c Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-6090, you might also want to check these: