SSRF vulnerability in ChatGPT Custom GPTs actions exposes Azure cloud infrastructure
Take action: This is a classic web application vulnerability and has nothing to do with AI. But it's a clear example that all the new applications and services still carry the old flaws of the regular web application, on top of the AI specific flaws. If you're building AI platforms with external API integrations, always strictly validate URLs and block internal IP addresses and strip all internal headers from external requests on the ingress.
Learn More
OpenAI has patched a Server-Side Request Forgery (SSRF) vulnerability in ChatGPT's Custom GPT Actions feature. Server-Side Request Forgery occurs when an application fails to properly validate user-supplied URLs, allowing attackers to trick the server into making unauthorized requests to internal network resources or cloud metadata services.
The vulnerability allowed authenticated ChatGPT Plus users to access internal cloud metadata services and extract sensitive Azure Management API access tokens, potentially enabling complete compromise of OpenAI's cloud resources.
The vulnerability is in in the Actions functionality of Custom GPTs, a premium feature available to ChatGPT Plus subscribers that allows users to create specialized versions of ChatGPT configured with custom instructions, knowledge bases, and external API integrations. This feature enables custom GPTs to interact with external APIs by accepting OpenAPI schemas that define how the AI should communicate with third-party services. Users can specify API endpoints, authentication methods, and test these integrations directly within the ChatGPT interface. Due to insufficient validation of user-provided URLs in this Actions section, an attacker can craft malicious API configurations that point to internal services instead of external endpoints.
The researcher discovered that they can configure an internal URL of the Azure's Instance Metadata Service (IMDS), accessible internally at the IP address 169.254.169.254. This service contains information about cloud instances including network configurations, security credentials, and temporary access tokens for broader API access. The metadata service is designed not to be accessible outside of a Azure cloud instance.
The researcher first sent an externa URL to ChatGPT which responded with custom HTTP 302. When the ChatGPT server attempted to fetch data from the researcher's HTTPS URL, it followed the redirect chain to the internal HTTP metadata endpoint. Azure requires all requests to its IMDS to include a specific "Metadata: true" header as a security measure to prevent SSRF attacks. But the authentication settings in the Custom GPT Actions feature allowed the creation of custom API keys with arbitrary names and values. By creating an API key named "Metadata" with the value "True," the researcher injected the required header into outbound requests, satisfying Azure's IMDS authentication requirement.
The proof of concept involved requesting an OAuth2 token for Azure's Management API through the metadata endpoint at http://169.254.169.254/metadata/identity/oauth2/token. The response contained a valid Azure Management API access token, which would grant an attacker direct access to OpenAI's cloud infrastructure with permissions to potentially enumerate resources, modify configurations, access storage accounts, or escalate privileges within the cloud environment.
No CVE identifier has been assigned to this vulnerability but OpenAI rated it as High Severity and implemented a patch almost immediately after disclosure through their Bugcrowd bug bounty program.
Organizations deploying AI platforms with similar external integration capabilities should include strict allowlisting of external domains and IP ranges for API integrations, with explicit blocking of internal IP address ranges including RFC 1918 private addresses and cloud metadata service endpoints.
