Ai2 Playground Web Application Insecure Direct Object Reference Vulnerability

漏洞信息

漏洞名称： Ai2 Playground Web Application Insecure Direct Object Reference Vulnerability

漏洞编号：

• CVE： CVE-2025-51865

漏洞类型： 未授权访问

漏洞等级： 中危

漏洞描述： Ai2是一个位于西雅图的非营利性人工智能研究机构，提供了一个与他们的LLM聊天的游乐场Web应用程序。该应用程序的聊天组件存在不安全的直接对象引用（IDOR）漏洞。攻击者可以利用此IDOR篡改其他用户的对话。所有用户的对话历史都存储在服务器上，但Ai2的服务器不区分单个对话历史的所有权或共享状态。因此，攻击者可以通过暴力破解对话消息ID来访问其他用户的对话历史，即使是那些未被其所有者公开共享的对话。对话消息ID格式是可预测的，容易受到暴力攻击。它由一个固定的前缀msg_后跟一个10个字符的字符串组成，该字符串由交替的大写字母和数字组成（例如A1A1A1A1A1）。此漏洞可能对https://playground.allenai.org的任何用户产生影响。用户的聊天历史可能会被暴力破解的message_id窃取。

产品厂商： Ai2

产品名称： Ai2 Playground Web Application

来源： https://github.com/Secsys-FDU/CVE-2025-51865

类型： CVE-2025:github search

仓库文件

• README.md
• figure1.png
• figure2.png

来源概述

CVE-2025-51865

Vulnerability description

Ai2 is a Seattle based non-profit AI research institute. Ai2 provide a playground web application to chat with their LLM, which is vulnerable to Insecure Direct Object Reference (IDOR) in its chat component. An attacker can exploit this IDOR to tamper other users’ conversation.

Attack Vectors

Conversation histories for all users are stored on the server. However, Ai2’s server does not distinguish the ownership or sharing status of individual conversation histories. Consequently, an attacker can access other users’ conversation histories, even those not publicly shared by their owners, by brute-forcing the conversation message IDs.

The conversation message ID format is predictable and susceptible to brute-force attacks. It consists of a fixed prefix msg_ followed by a 10-character string. This string is composed of alternating uppercase letters and digits (e.g., A1A1A1A1A1). The POC is as fowllowing:

Vulnerability affected

This vulnerability can have an impact on any user of https://playground.allenai.org. The chat history of user will be stolen with brute-forced message_id.