The vulnerability, described by a researcher as “bad programming,” allows an attacker to send unlimited connection requests through ChatGPT’s API.
January 22, 2025 By Derek B. Johnson
Avulnerability in ChatGPT’s API can generate DDoS attacks against targeted websites, but the security researcher who discovered it says the flaw has since been addressed by OpenAI.
In a security advisory posted to the developer platform GitHub, German security researcher Benjamin Flesch detailed the bug, which occurs when the API is processing HTTP POST requests to the back-end server.
The API is set up to receive hyperlinks in the form of URLs, but in a move Flesch described as “bad programming,” OpenAI did not have a limit on the number of URLs that can be included in a single request. That error allows an attacker to cram thousands of URLs within a single request, something that could overload traffic to a targeted website.
