I published new security research documenting two critical vulnerabilities in OpenAI's ChatGPT Code Interpreter that form a complete attack chain.
Key Findings
Critical Failure A: Python Pickle RCE (CWE-502)
The Python pickle module allows arbitrary code execution when processing attacker-controlled serialized objects. Malicious pickle payloads successfully execute within the sandbox via the __reduce__ method, achieving RCE at user privilege level.
Critical Failure B: DNS Exfiltration via Canvas Rendering (CWE-200)
While the sandbox blocks direct outbound connections, the ChatGPT canvas creates an uncontrolled egress channel. When the model prints hostname-like strings, the canvas renders them, triggering DNS queries from the user's browser. Data encoded in subdomain labels is captured by an attacker-controlled nameserver.
Why This Matters
These two failures combine into a unified kill chain: Pickle RCE harvests secrets from the sandbox environment, and DNS exfiltration via canvas rendering smuggles them out — bypassing all server-side network controls because the DNS queries originate from the user's browser.
Meta acknowledged and patched the same vulnerability class (CVE-2024-50050, pickle deserialization in Llama-Stack) within 11 days. OpenAI dismissed this report.
Full Research
Read the complete writeup with evidence, MITRE ATT&CK mapping, and technical details:
👉 Dual Critical Failures: RCE & DNS Exfiltration in ChatGPT Canvas
GitHub repo with logs and evidence: github.com/SnailSploit/chatgpt-rce-dns
Top comments (0)