CVE-2025-2334 – This vulnerability allows remote attackers to d... (How to Fix)

Q: What is the severity of CVE-2025-2334?

CVE-2025-2334 has a CVSS score of 5.4 (MEDIUM). This vulnerability allows remote attackers to delete chat histories they shouldn't have access to due to improper access controls in the deleteChat function. It affects users of the springboot-openai-chatgpt component's chat history handler. Attackers can exploit this to delete other users' chat data without authorization.

📋 TL;DR

This vulnerability allows remote attackers to delete chat histories they shouldn't have access to due to improper access controls in the deleteChat function. It affects users of the springboot-openai-chatgpt component's chat history handler. Attackers can exploit this to delete other users' chat data without authorization.

💻 Affected Systems

Products:

springboot-openai-chatgpt

Versions: e84f6f5 (specific commit hash affected)

Operating Systems: Any OS running the vulnerable component

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the specific commit e84f6f5 of the springboot-openai-chatgpt repository. Component ID: 274056675.

📦 What is this software?

Springboot Openai Chatgpt by 274056675

View all CVEs affecting Springboot Openai Chatgpt →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Mass deletion of user chat histories, potential data loss, and disruption of service functionality.

🟠

Likely Case

Targeted deletion of specific users' chat histories, causing data loss and potential privacy violations.

🟢

If Mitigated

Minimal impact with proper access controls preventing unauthorized deletions.

🌐 Internet-Facing: HIGH - Attack can be initiated remotely and exploit is publicly disclosed.

🏢 Internal Only: MEDIUM - Internal attackers could still exploit but requires network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit has been publicly disclosed and manipulation of chatListId parameter leads to improper access controls.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: Yes

Instructions:

1. Check repository for security updates. 2. Apply any available patches. 3. Restart the application service. 4. Verify fix implementation.

🔧 Temporary Workarounds

Implement Access Control Validation

all

Add server-side validation to ensure users can only delete their own chat histories

Modify deleteChat function to verify user ownership of chatListId

Disable Vulnerable Endpoint

all

Temporarily disable the /api/mjkj-chat/chat/ai/delete/chat endpoint

Comment out or remove endpoint mapping in Spring Boot configuration

🧯 If You Can't Patch

Implement network-level access controls to restrict who can reach the vulnerable endpoint
Add application-level logging and monitoring for unauthorized delete attempts

🔍 How to Verify

Check if Vulnerable:

Check if running commit e84f6f5 of springboot-openai-chatgpt and test if unauthorized users can delete others' chat histories via the deleteChat endpoint.

Check Version:

git log --oneline -1 (to check current commit hash)

Verify Fix Applied:

Test that only authenticated users can delete their own chat histories and unauthorized attempts are properly rejected.

📡 Detection & Monitoring

Log Indicators:

Multiple DELETE requests to /api/mjkj-chat/chat/ai/delete/chat from single user
Failed authorization attempts for chat deletion

Network Indicators:

Unusual pattern of DELETE requests to chat deletion endpoint
Requests with manipulated chatListId parameters

SIEM Query:

source="application.logs" AND (uri="/api/mjkj-chat/chat/ai/delete/chat" AND method="DELETE") | stats count by src_ip, user_agent

📊 Metadata

CVE ID: CVE-2025-2334

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

CWE: CWE-266

EPSS Score: 0.38% exploit probability (59.2th percentile)

Published: March 15, 2025

Last Updated: October 21, 2025

🔗 References

https://vuldb.com/?ctiid.299799 Permissions Required,VDB Entry
https://vuldb.com/?id.299799 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.505688 Third Party Advisory,VDB Entry
https://www.cnblogs.com/aibot/p/18732182 Exploit,Third Party Advisory
https://www.cnblogs.com/aibot/p/18732182 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-2334, you might also want to check these: