Recently, security researcher zer0dac disclosed a security vulnerability in ChatGPT. This vulnerability allows attackers to bypass some file access restrictions by using prompt injection and path traversal techniques, thereby obtaining unauthorized additional data. Currently, OpenAI has fixed the relevant mechanisms after receiving the report.
According to the analysis, the core issue lies in how ChatGPT handles uploaded files. Normally, after a user uploads a file, the system does not provide a direct download function for the original file. If a user attempts to request a download, the system usually responds that the file belongs to temporary session content and cannot be extracted.

However, zer0dac discovered a "bypass" path during testing: if a user first prompts ChatGPT to edit the uploaded file, and then requests a download link by claiming the file was accidentally deleted, ChatGPT will generate an effective download URL. Through this link, attackers can not only access internal retrieval paths but also further use path traversal techniques to attempt to break through permission restrictions and read file contents outside the target path.
Although zer0dac pointed out that due to ChatGPT's existing sandbox mechanism, the vulnerability itself cannot directly obtain highly sensitive data, it could become a key component in a complex attack chain, providing possibilities for subsequent in-depth attacks. Currently, OpenAI has made targeted optimizations, adjusting the logic of generating file download URLs, thus eliminating the risk of internal file path exposure at the source. This incident once again reminds developers that input filtering and permission isolation in user interaction are still the top priorities in security protection during the development of large model applications.
