| 제목 | chatchat-space Langchain-Chatchat 0.3.1.3 TOCTOU Race Condition / CWE-367 |
|---|
| 설명 | A vulnerability was found in chatchat-space Langchain-Chatchat 0.3.1.3. Affected by this vulnerability is the function files() of the file libs/chatchat-server/chatchat/server/api_server/openai_routes.py (lines 260–284) of the component OpenAI-Compatible File Upload API. The manipulation of the argument file.filename leads to a time-of-check time-of-use (TOCTOU) race condition. Files are stored using open(path, "wb") at a path derived solely from purpose, date, and filename, with no conflict detection, deduplication, or per-user isolation. A second upload with the same filename silently overwrites the first. Because the Vision LLM fetches images from disk in real-time via GET /v1/files/{id}/content with no content pinning, the LLM may receive an attacker-controlled image instead of the victim's original upload within the race condition window. The attack may be initiated remotely with low privileges in a multi-tenant deployment. The exploit has been disclosed to the public. It is recommended to introduce a random UUID component in the file storage path and implement content pinning at upload time. |
|---|
| 원천 | ⚠️ https://github.com/chatchat-space/Langchain-Chatchat/issues/5463 |
|---|
| 사용자 | Dem00 (UID 84913) |
|---|
| 제출 | 2026. 04. 19. AM 10:21 (2 개월 ago) |
|---|
| 모더레이션 | 2026. 05. 05. PM 12:21 (16 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 361125 [chatchat-space Langchain-Chatchat 까지 0.3.1.3 OpenAI-Compatible File Upload API openai_routes.py files file.filename 경쟁 조건] |
|---|
| 포인트들 | 20 |
|---|