PYSEC-2025-95

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/chuanhuchatgpt/PYSEC-2025-95.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2025-95

Aliases

CVE-2024-9107

Published

2025-03-20T10:15:47.230Z

Modified

2026-05-21T15:00:07.005560096Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

A stored cross-site scripting (XSS) vulnerability exists in the gaizhenbiao/chuanhuchatgpt repository, affecting version git 20b2e02. The vulnerability arises from improper sanitization of HTML tags in chat history uploads. Specifically, the sanitization logic fails to handle HTML tags within code blocks correctly, allowing an attacker to inject malicious scripts. This can lead to the execution of arbitrary JavaScript code in the context of the user's browser, potentially leading to identity theft or other malicious actions.

References

https://huntr.com/bounties/a2972c51-4780-4f60-afbf-a7a8ee4066ea

Affected packages

PyPI / chuanhuchatgpt

Package

Name: chuanhuchatgpt; View open source insights on deps.dev
Purl: pkg:pypi/chuanhuchatgpt

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

2024-09-19

Database specific

source

"https://github.com/pypa/advisory-database/blob/main/vulns/chuanhuchatgpt/PYSEC-2025-95.yaml"