CVE-2024-6038 identifies a Regular Expression Denial of Service (ReDoS) vulnerability in the gaizhenbiao/chuanhuchatgpt software, specifically within the filter_history function in utils.py. This function accepts a user-provided keyword and applies a regular expression search against chat history filenames. Because the keyword is not sanitized or validated, an attacker can supply a crafted regex pattern that triggers catastrophic backtracking during the regex evaluation. This inefficiency in the regex engine leads to excessive CPU consumption, causing severe degradation of service performance or complete denial of service. The vulnerability is remotely exploitable without requiring authentication or user interaction, increasing its risk profile. The CVSS v3.0 score of 7.5 reflects a high severity due to the network attack vector, low attack complexity, no privileges required, and no user interaction needed, with impact solely on availability. No patches or known exploits are currently documented, but the vulnerability is publicly disclosed and should be addressed promptly. The CWE-1333 classification highlights the root cause as inefficient regular expression complexity leading to resource exhaustion.

For European organizations, exploitation of this vulnerability could result in denial of service conditions affecting applications or services relying on gaizhenbiao/chuanhuchatgpt, particularly those that use the filter_history function for keyword-based chat history searches. This could disrupt business operations, degrade user experience, and potentially cause downtime in customer-facing or internal AI/chatbot systems. Given the network-exploitable nature, attackers could launch remote attacks causing service outages without needing credentials, increasing the risk of widespread disruption. Organizations in sectors heavily dependent on AI-driven communication tools, such as technology firms, customer support centers, and research institutions, may face operational and reputational damage. Additionally, the lack of input validation could be exploited as part of a broader attack chain to amplify denial of service effects. The impact is primarily on availability, with no direct confidentiality or integrity compromise reported.

To mitigate this vulnerability, organizations should implement strict input validation and sanitization on user-supplied keywords before they are used in regular expression operations. Limiting the complexity and length of regex patterns can prevent catastrophic backtracking. Employing regex libraries or engines that support timeouts or complexity limits can also reduce risk. If possible, refactor the filter_history function to avoid dynamic regex construction from untrusted input or replace regex matching with safer string matching techniques. Monitoring application performance and setting resource usage thresholds can help detect and mitigate ongoing attacks. Until an official patch is released, consider disabling or restricting access to the vulnerable feature. Additionally, applying network-level protections such as rate limiting and web application firewalls (WAFs) can help block suspicious requests containing malicious regex patterns. Regularly update the software and track vendor advisories for patches addressing this issue.