CVE-2024-6090 is a path traversal vulnerability (CWE-22) identified in the gaizhenbiao/chuanhuchatgpt software, specifically in version 20240410. The flaw allows an attacker to manipulate file path inputs to bypass directory restrictions, enabling deletion of arbitrary files ending with the .json extension on the target system. This includes the ability to delete other users' chat histories stored as JSON files, as well as critical authentication-related files, resulting in denial of service by preventing legitimate user authentication. The vulnerability is remotely exploitable without any authentication or user interaction, increasing its risk profile. The CVSS v3.0 score of 7.5 reflects high severity due to network attack vector, low attack complexity, no privileges required, and a significant impact on availability. No patches or known exploits have been reported yet, but the vulnerability poses a serious threat to the integrity of stored data and the availability of the chat service. The root cause is improper limitation of pathname inputs, allowing directory traversal sequences to escape intended restricted directories. This indicates insufficient input validation and lack of secure coding practices around file system operations within the application.

For European organizations using gaizhenbiao/chuanhuchatgpt, this vulnerability can lead to critical service disruptions by deleting essential JSON files, including authentication data and user chat histories. This results in denial of service, loss of user data, and potential operational downtime. Organizations relying on this software for communication or AI chatbot services may face degraded user trust and productivity loss. The lack of authentication requirement means attackers can exploit this remotely without insider access, increasing exposure. If exploited at scale, it could disrupt multiple users or departments simultaneously. Additionally, deletion of authentication files may require costly recovery efforts and incident response. The impact extends beyond availability to potential indirect effects on confidentiality if attackers leverage deleted data to cause confusion or cover tracks. Overall, the threat undermines service reliability and data integrity critical to business continuity.

Immediate mitigation should focus on applying any available patches from the vendor once released. In the absence of patches, organizations should implement strict input validation to sanitize and canonicalize all file path inputs, ensuring traversal sequences (e.g., ../) are blocked. Employing allowlists for file names and extensions can reduce risk. Restrict file deletion operations to authenticated and authorized users only, enforcing role-based access controls. Monitoring file system activity for unusual deletion patterns of .json files can provide early detection. Isolating the application in a sandbox or container with limited file system permissions can minimize impact. Regular backups of critical JSON files, especially authentication data and user histories, are essential for recovery. Network-level protections such as web application firewalls (WAFs) can help detect and block path traversal attempts. Finally, conduct code reviews and security testing focused on file handling to prevent similar issues in future releases.