cognitive cybersecurity intelligence

News and Analysis

Search

ChatGPT File Download Flow Vulnerability Could Be Abused to Access System Files

ChatGPT File Download Flow Vulnerability Could Be Abused to Access System Files

A proof-of-concept vulnerability chain in ChatGPT that combined a guardrail bypass with a path traversal flaw, potentially allowing attackers to access restricted system files such as /etc/passwd through the platform’s file download mechanism.

According to Security researcher zer0dac, OpenAI has since remediated the issue by redesigning the URL download flow.

The exploitation chain involved four steps, starting with a routine file upload and ending in local file inclusion (LFI).

File upload: The researcher uploaded a dummy HTML file to ChatGPT for review, establishing a sandboxed file path.

Guardrail bypass: When directly requesting a download link for the file, ChatGPT denied the request, citing standard deletion policy after temporary storage. This maps to OWASP’s LLM02:2025 (Sensitive Information Disclosure) category.

Social engineering the LLM: By first requesting an edit to the uploaded file, then claiming the file was “accidentally deleted” and asking for a re-download link, the researcher tricked ChatGPT into generating a valid download URL, bypassing the deletion restriction entirely.

Endpoint interception: The generated link exposed a backend API structure: /backend-api/conversation/{id}/interpreter/download?message_id={id}&sandbox_path=/mnt/data/test.html.

ChatGPT Video PoC (Source: zer0dac)

ChatGPT File Download Flow Vulnerability

With a valid download endpoint in hand, the researcher targeted the sandbox_path parameter. A naive traversal payload like ../../../../etc/passwd would likely trigger path validation checks and get blocked.

Instead, the researcher preserved the original legitimate path and appended traversal sequences after it: /mnt/data/test.html/../../../../etc/passwd.

This technique exploited inconsistent path normalization, tricking the validation logic into treating the request as a legitimate file access while still resolving the traversal outside the sandboxed directory. When accessed directly in a browser, this crafted URL successfully returned the contents of /etc/passwd from ChatGPT’s execution environment.

According to the researcher’s notes, the practical impact was limited because ChatGPT’s code execution environment is sandboxed, meaning no direct sensitive data disclosure occurred from accessing a generic system file like /etc/passwd.

However, the disclosure emphasizes a critical point for AI security: LFI and path traversal primitives, when discovered in isolation, can serve as building blocks in larger exploit chains, especially in agentic or tool-augmented LLM architectures, where sandboxes may have broader file access or interact with other services.

OpenAI has since closed the vulnerability by changing the design of the URL download flow, though specific technical details of the fix have not been publicly disclosed.

This case highlights two converging risk categories in LLM security: prompt-based guardrail manipulation (getting a model to override its own safety logic through conversational framing) and traditional web application vulnerabilities (path traversal) surfacing in AI-generated backend endpoints.

As LLM platforms increasingly handle file uploads, code execution, and dynamic URL generation, researchers argue that both AI-specific red teaming and conventional web app security testing need to be applied in tandem to these systems.

 Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.
The post ChatGPT File Download Flow Vulnerability Could Be Abused to Access System Files appeared first on Cyber Security News.

Source: cybersecuritynews.com –

Subscribe to newsletter

Subscribe to HEAL Security Dispatch for the latest healthcare cybersecurity news and analysis.

More Posts