| عنوان | assafelovic gpt-researcher 3.4.3 Unrestricted Access |
|---|
| الوصف | gpt-researcher v3.4.3 and earlier versions expose all HTTP REST API endpoints and the WebSocket interface without any form of authentication or authorization. A total of 14 endpoints — including file upload, file deletion, research task generation (which triggers expensive LLM API calls), report access, and chat — are accessible to any unauthenticated network user. This allows an attacker to upload arbitrary files, delete existing files, exfiltrate all research reports, consume API credits by triggering unlimited research tasks, and manipulate server-side configuration. |
|---|
| المصدر | ⚠️ https://github.com/assafelovic/gpt-researcher/issues/1695 |
|---|
| المستخدم | Yu-Bao (UID 96702) |
|---|
| ارسال | 23/03/2026 04:11 AM (25 أيام منذ) |
|---|
| الاعتدال | 05/04/2026 09:12 PM (14 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 355420 [assafelovic gpt-researcher حتى 3.4.3 HTTP REST API Endpoint توثيق ضعيف] |
|---|
| النقاط | 20 |
|---|