CRITICALCVE-2024-3234CVSS 9.8

CVE-2024-3234: Path Traversal in chuanhuchatgpt

Platform

python

Component

gaizhenbiao/chuanhuchatgpt

Fixed in

20240305

AI Confidence: highNVDEPSS 86.0%Reviewed: May 2026

View on NVD

Save

CVE-2024-3234 represents a critical path traversal vulnerability affecting the chuanhuchatgpt application. This flaw allows unauthorized access to sensitive files, potentially exposing API keys and other configuration data. The vulnerability impacts versions of chuanhuchatgpt released prior to 20240305, and a fix was released on that date.

Impact and Attack Scenarios

The primary impact of CVE-2024-3234 is the unauthorized disclosure of sensitive information. Due to the path traversal vulnerability, an attacker can bypass intended access restrictions within the web_assets directory. This enables them to read files outside of this directory, including config.json. This file likely contains API keys, which could then be used to compromise associated services or data. The blast radius extends to any systems or data accessible through the API keys stored in the config.json file. This vulnerability leverages a known issue (CVE-2023-51449) in an outdated gradio component, highlighting the importance of keeping dependencies up to date.

Exploitation Context

CVE-2024-3234 is based on CVE-2023-51449, a known path traversal vulnerability in gradio. Public proof-of-concept exploits for CVE-2023-51449 exist, increasing the likelihood of exploitation. The vulnerability was published on 2024-06-06. There is no indication of active exploitation campaigns at this time, but the ease of exploitation warrants immediate attention.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

EPSS

85.99% (99% percentile)

CISA SSVC

Exploitationpoc

Automatableyes

Technical Impacttotal

CVSS Vector

Affected Software

Componentgaizhenbiao/chuanhuchatgpt

Vendorgaizhenbiao

Affected rangeFixed in

unspecified – 20240305 20240305

Weakness Classification (CWE)

CWE-22

Timeline

Reserved2024-04-02
Published2024-06-06
Modified2024-08-01
EPSS updated2026-04-02

Mitigation and Workarounds

The primary mitigation for CVE-2024-3234 is to immediately upgrade chuanhuchatgpt to version 20240305 or later. This version incorporates the necessary fix to address the path traversal vulnerability. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal attempts (e.g., ../ sequences). Carefully review and restrict file access permissions within the webassets directory to further limit the potential impact of this vulnerability. After upgrading, confirm the fix by attempting to access files outside the webassets directory and verifying that access is denied.

How to fix

Update the chuanhuchatgpt application to version 20240305 or later. This version includes an update to the gradio component that fixes the path traversal vulnerability. This will prevent unauthorized access to sensitive files such as config.json.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2024-3234 — Path Traversal in chuanhuchatgpt?

CVE-2024-3234 is a critical path traversal vulnerability in chuanhuchatgpt versions before 20240305, allowing attackers to access sensitive files like config.json.

Am I affected by CVE-2024-3234 in chuanhuchatgpt?

Yes, if you are using chuanhuchatgpt versions prior to 20240305, you are vulnerable to this path traversal attack.

How do I fix CVE-2024-3234 in chuanhuchatgpt?

Upgrade to version 20240305 or later to resolve the vulnerability. Consider WAF rules as a temporary mitigation.

Is CVE-2024-3234 being actively exploited?

While there's no confirmed active exploitation, the vulnerability is easily exploitable and based on a known issue, so immediate action is recommended.

Where can I find the official chuanhuchatgpt advisory for CVE-2024-3234?

Refer to the project's repository or release notes for the official advisory regarding CVE-2024-3234.

NextGuard

Vulnerabilities

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Python

Detect this CVE in your project

Upload your requirements.txt file and we'll tell you instantly if you're affected.

Supported formats: requirements.txt · Pipfile.lock

Scan free

Search CVEs

Upload requirements.txt

What do these metrics mean?

Attack Vector: Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity: Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required: None — unauthenticated. No login or credentials needed to exploit.
User Interaction: None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope: Unchanged — impact is limited to the vulnerable component itself.
Confidentiality: High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity: High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability: High — complete crash or resource exhaustion. Full denial of service.