Liner Insecure Direct Object Reference Vulnerability
漏洞信息
漏洞名称: Liner Insecure Direct Object Reference Vulnerability
漏洞编号:
- CVE: CVE-2025-51869
漏洞类型: 未授权访问
漏洞等级: 高危
漏洞描述: Liner是一个可靠的AI搜索引擎,全球拥有超过1000万用户。Liner基于LLM构建了一个搜索引擎,其聊天组件存在不安全的直接对象引用(IDOR)漏洞。攻击者可以利用此IDOR篡改其他用户的对话。
漏洞解释:所有用户的对话历史都存储在服务器上。然而,Liner的服务器没有区分单个对话历史的所有权或共享状态。因此,攻击者可以通过暴力破解对话消息ID来访问其他用户的对话历史。此外,还存在space_id和thread_id,我们发现当请求对话历史时,服务器仅检查message_id来检索对话。
产品厂商: Liner
产品名称: Liner AI search engine
来源: https://github.com/Secsys-FDU/CVE-2025-51869
类型: CVE-2025:github search
仓库文件
- README.md
- figure1.png
来源概述
CVE-2025-51869
Vulnerability description
Liner is a reliable AI search engine with over 10 million users worldwide. Liner construct a search engine based on LLM, which is vulnerable to Insecure Direct Object Reference (IDOR) in its chat component. An attacker can exploit this IDOR to tamper other users’ conversation.
Attack Vectors
Conversation histories for all users are stored on the server. However,Liner’s server does not distinguish the ownership or sharing status of individual conversation histories. Consequently, an attacker can access other users’ conversation histories by brute-forcing the conversation message IDs. Also there are space_id and thread_id, we found that when requesting a conversation history the server only checks the message_id to retrieve conversation.
The message ID format is predictable and susceptible to brute-force attacks. It consists of an 9-character string. This string is composed of digits (e.g., 123456789) and this id is in ascending order. When an attacker request this api with attacker’s Authorization and GET method, he can then check the conversation history in POC.
Vulnerability affected
This vulnerability can have an impact on any user of https://getliner.com. The Chat history of user will be tampered with brute-forced message_id.