CVE-2023-49785: Vulnerability in NextChat

CVE-2023-49785 is a critical vulnerability affecting NextChat, an application that provides users with a web interface based on ChatGPT

Information has been disclosed about a new critical vulnerability affecting NextChat, a chat interface used with ChatGPT. The vulnerability CVE-2023-49785 would allow a remote attacker to obtain internal access to different servers via HTTP. It would also allow an attacker to mask their IP address, as it allows NextChat to be used as an OpenProxy.

NextChat is an application that allows you to easily obtain a web interface based on ChatGPT that integrates GPT3, GPT4 and Gemini PRO.

Key Features

The main features of this vulnerability are detailed below.

• CVE Identifier: CVE-2023-49785
• Release Date: 11/03/2023
• Affected Software: NextChat / ChatGPT-Next-Web
• CVSS Score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N (9.1 Critical)
• Affected Versions
  • All before 2.11.2 (included)
• Exploitation requirements
  • Internet exposure.

Mitigation

There is currently no patch for the vulnerability CVE-2023-49785. A mitigation recommendation is not to expose the instance publicly to the Internet. In case it is exposed, ensure that it is isolated and without access to other internal resources.

In any case, an attacker can still exploit this vulnerability to mask his/her IP address, using the affected instance as an OpenProxy.

Detection of the vulnerability CVE-2023-49785

This template from Nuclei can be used to detect this vulnerability. It is also possible to obtain the template from the horizon3 blog.

As part of its emerging vulnerabilities service, Tarlogic proactively monitors the perimeter of its clients to report, detect, and urgently notify of the presence of this vulnerability, as well as other critical threats that could have a serious impact on the security of their assets.