| शीर्षक | chatchat-space Langchain-Chatchat 0.3.1.3 Weak Hash / CWE-328 |
|---|
| विवरण | A vulnerability was found in chatchat-space Langchain-Chatchat 0.3.1.3. Affected by this vulnerability is an unknown functionality of the file libs/chatchat-server/chatchat/webui_pages/dialogue/dialogue.py (line 278) of the component Vision Chat Paste Image Handler. The manipulation of the argument paste_image.image_data leads to a weak hash vulnerability. PIL.Image.tobytes() serializes only the raw pixel index array of P-mode images, discarding palette metadata (PLTE chunk). An attacker can craft two visually distinct PNG images sharing identical tobytes() output via different palette definitions, causing hashlib.md5(image.tobytes()).hexdigest() to produce the same filename for both images. The attack may be initiated remotely with low privileges in a multi-tenant deployment. The exploit has been disclosed to the public. It is recommended to replace tobytes() with the complete serialized PNG byte stream via image.save(buf, format="png") and upgrade the hash algorithm to SHA-256. |
|---|
| स्रोत | ⚠️ https://github.com/chatchat-space/Langchain-Chatchat/issues/5462 |
|---|
| उपयोगकर्ता | Dem00 (UID 84913) |
|---|
| सबमिशन | 19/04/2026 10:13 AM (2 महीनों पहले) |
|---|
| संयम | 05/05/2026 12:21 PM (16 days later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 361124 [chatchat-space Langchain-Chatchat तक 0.3.1.3 Vision Chat Paste Image dialogue.py PIL.Image.tobytes paste_image.image_data कमजोर एन्क्रिप्शन] |
|---|
| अंक | 20 |
|---|