| عنوان | chatchat-space Langchain-Chatchat 0.3.1.3 TOCTOU Race Condition / CWE-367 |
|---|
| الوصف | A vulnerability was found in chatchat-space Langchain-Chatchat 0.3.1.3. Affected by this vulnerability is the function files() of the file libs/chatchat-server/chatchat/server/api_server/openai_routes.py (lines 260–284) of the component OpenAI-Compatible File Upload API. The manipulation of the argument file.filename leads to a time-of-check time-of-use (TOCTOU) race condition. Files are stored using open(path, "wb") at a path derived solely from purpose, date, and filename, with no conflict detection, deduplication, or per-user isolation. A second upload with the same filename silently overwrites the first. Because the Vision LLM fetches images from disk in real-time via GET /v1/files/{id}/content with no content pinning, the LLM may receive an attacker-controlled image instead of the victim's original upload within the race condition window. The attack may be initiated remotely with low privileges in a multi-tenant deployment. The exploit has been disclosed to the public. It is recommended to introduce a random UUID component in the file storage path and implement content pinning at upload time. |
|---|
| المصدر | ⚠️ https://github.com/chatchat-space/Langchain-Chatchat/issues/5463 |
|---|
| المستخدم | Dem00 (UID 84913) |
|---|
| ارسال | 19/04/2026 10:21 AM (2 أشهر منذ) |
|---|
| الاعتدال | 05/05/2026 12:21 PM (16 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 361125 [chatchat-space Langchain-Chatchat حتى 0.3.1.3 OpenAI-Compatible File Upload API openai_routes.py files file.filename حالة سباق] |
|---|
| النقاط | 20 |
|---|