CVE-2024-10650 is a Denial of Service vulnerability classified under CWE-770, which involves allocation of resources without proper limits or throttling. The affected product is ChuanhuChatGPT version 20240918 by gaizhenbiao. The vulnerability allows an unauthenticated attacker to send large multipart boundary payloads crafted with groups of 10 characters per line and multiple lines, causing the system to continuously process these inputs. This leads to resource exhaustion and prolonged unavailability of the service. Although a prior patch addressed a similar issue (CVE-2024-7807), this variant bypasses that fix by exploiting a different data formatting approach. The Gradio framework upgrade changed the authentication requirements, reducing the privilege needed to exploit the vulnerability when authentication is enabled to low privilege, but it remains exploitable without authentication if the system is open. The vulnerability impacts availability only, with no direct confidentiality or integrity compromise. The CVSS 3.0 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) indicates network attack vector, low attack complexity, no privileges or user interaction required, unchanged scope, no confidentiality or integrity impact, and high availability impact. No public exploits have been reported yet, but the ease of exploitation and high impact make this a significant risk for deployments of ChuanhuChatGPT, especially in environments relying on continuous AI chatbot availability.

For European organizations, the primary impact is service unavailability of AI chatbot systems running ChuanhuChatGPT, which could disrupt business operations, customer interactions, and internal workflows relying on these AI services. Prolonged downtime could lead to loss of productivity, customer dissatisfaction, and potential financial losses. Organizations in sectors such as finance, healthcare, telecommunications, and public services that increasingly integrate AI chatbots for customer support or decision assistance are particularly vulnerable. The unauthenticated nature of the attack means that external threat actors can launch DoS attacks without needing credentials, increasing the risk of widespread disruption. Additionally, the low privilege requirement when authentication is enabled lowers the barrier for insider threats or compromised low-level accounts to exploit this vulnerability. While confidentiality and integrity are not directly impacted, the availability loss can indirectly affect trust and operational resilience. Given the growing reliance on AI-driven services in Europe, this vulnerability poses a significant operational risk if unmitigated.

1. Apply patches or updates from the vendor as soon as they become available to address CVE-2024-10650 specifically. 2. Implement strict input validation and rate limiting on multipart/form-data payloads to prevent large or malformed data from overwhelming the system. 3. Deploy Web Application Firewalls (WAFs) with custom rules to detect and block suspicious multipart boundary payload patterns, especially those with repetitive 10-character lines. 4. Monitor network traffic and application logs for unusual spikes in multipart/form-data requests or repeated patterns indicative of exploitation attempts. 5. Restrict access to the ChuanhuChatGPT service to trusted networks or authenticated users where possible, and enforce strong authentication and authorization controls. 6. Consider deploying resource usage quotas and timeouts on request processing to limit the impact of resource exhaustion attacks. 7. Conduct regular security assessments and penetration testing focusing on multipart data handling and DoS resilience. 8. Educate operational teams to recognize and respond quickly to service degradation symptoms that may indicate ongoing exploitation.