ChatGPT-Next-Web SSRF Vulnerability Let Attackers Gain Unauthorized Server Access

Apart from ChatGPT and Gemini AI which are the most popular Artificial Intelligence systems available to the public, there are several other standalone chatbot applications that are available for users to deploy and use for their own personal customization. 

These standalone applications also provide the feature to plug in and test different AI models and can also bypass IP block restrictions.

One of the most popular standalone Gen AI chatbot applications available for users is the NextChat, a.k.a ChatGPT-Next-Web. 

This particular application is open-source and available on GitHub with more than 63K+ stars and 52K+ forks.

Additionally, a shodan query (title:NextChat,”ChatGPT Next Web”) shows that this chatbot application has been deployed mostly in China and the US with more than 7500+ exposed instances.

However, this particular chatbot application is vulnerable to a critical full-read server-side request forgery (SSRF) vulnerability.

This vulnerability has been assigned the CVE-2023-49785 designation and has a severity level of 9.1 (Critical). No patch is available for this vulnerability yet, making it still a threat to organizations.

ChatGPT-Next-Web SSRF Vulnerability

According to the reports shared with Cyber Security News, NextChat is a Next.js based JavaScript application and its functionalities have been mostly implemented as client-side code.

The vulnerability was present at the /api/cors endpoint of this application, which is used to save client-side chat data to WebDAV users.

An unauthenticated user with access to this application can send arbitrary HTTP requests through this endpoint that could enable the users to bypass built-in browser protections and access cross-domain resources through a server-side endpoint. 

An attacker can exploit this vulnerability by adding an internal endpoint at the end of the URL endpoint, which allows the attacker to access internal HTTP resources. 

Exploitation of SSRF as Open Redirect (Source: Horizon3)

In addition to this, if the instance is deployed in AWS, an attacker can access AWS cloud metadata and retrieve AWS access keys from an EC2 instance running with IMDSv1 (Instance Metadata Service Version 1) enabled.

AWS Metadata leak (Source: Horizon3)

Nevertheless, passing other headers such as Cookie and Content-Type is limited. However, there are creative ways to inject these headers on the HTTP request. 

Reflected XSS

As an interesting side note, this endpoint was also discovered to be vulnerable to cross-site scripting, which does not require another website to trigger the exploit.

The endpoint uses the fetch method, which supports the data protocol, allowing the XSS to trigger directly on the website. 

The XSS can be triggered using the following exploit code added to the URL endpoint.


Decoded: <script>alert(document.domain)</script>

XSS Triggered (Source: Horizon3)

It is recommended that organizations prevent this application from being exposed to the internet.

If it is inevitable to add internet access to this application, it is suggested to isolate it without access to other internal resources.

With Perimeter81 malware protection, you can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits. All are incredibly harmful and can wreak havoc on your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Eswar is a Cyber security reporter with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is reporting data breach, Privacy and APT Threats.