| タイトル | assafelovic gpt-researcher 3.4.3 Unrestricted Access |
|---|
| 説明 | gpt-researcher v3.4.3 and earlier versions expose all HTTP REST API endpoints and the WebSocket interface without any form of authentication or authorization. A total of 14 endpoints — including file upload, file deletion, research task generation (which triggers expensive LLM API calls), report access, and chat — are accessible to any unauthenticated network user. This allows an attacker to upload arbitrary files, delete existing files, exfiltrate all research reports, consume API credits by triggering unlimited research tasks, and manipulate server-side configuration. |
|---|
| ソース | ⚠️ https://github.com/assafelovic/gpt-researcher/issues/1695 |
|---|
| ユーザー | Yu-Bao (UID 96702) |
|---|
| 送信 | 2026年03月23日 04:11 (24 日 ago) |
|---|
| モデレーション | 2026年04月05日 21:12 (14 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 355420 [assafelovic gpt-researcher 迄 3.4.3 HTTP REST API Endpoint 弱い認証] |
|---|
| ポイント | 20 |
|---|