Researchers Trick ChatGPT into Exposing System Files via Path Traversal

A researcher demonstrated a four step exploit chain using social engineering and path traversal to access restricted system files in ChatGPT's sandboxed environment.

CSBadmin
2 Min Read

The Attack Chain

Security researcher zer0dac discovered a multi step vulnerability chain in ChatGPT that could allow attackers to read restricted system files like /etc/passwd. The exploit began with a routine file upload, which created a sandboxed file path. When the researcher tried to directly request a download link, ChatGPT denied access citing its deletion policy.

Through social engineering, the researcher first asked ChatGPT to edit the uploaded file, then claimed it was accidentally deleted. This tricked the LLM into generating a valid download URL, bypassing the deletion restriction. The exposed endpoint revealed a backend API structure with a sandbox_path parameter.

Path Traversal and Impact

With a valid download endpoint, the researcher targeted the sandbox_path parameter using a path traversal technique. Instead of a simple traversal payload like ../../../../etc/passwd, which would trigger validation, they appended traversal sequences after the legitimate path: /mnt/data/test.html/../../../../etc/passwd. This inconsistent path normalization bypassed validation logic and successfully returned the contents of /etc/passwd.

OpenAI has since remediated the vulnerability by redesigning the URL download flow. While the practical impact was limited because ChatGPT’s code execution environment is sandboxed, the disclosure highlights how LFI and path traversal primitives can serve as building blocks in larger exploit chains, especially in agentic or tool-augmented LLM architectures where sandboxes may have broader file access.

Source: Cyber Security News

CSBadmin

The latest in cybersecurity news and updates.

Share This Article
Follow:
The latest in cybersecurity news and updates.