Cache Poisoning via Path Normalization Discrepancy between Cloudflare CDN and Backend Server ($6500 USD)

We discussed this vulnerability during Episode 241 on 12 February 2024

This one comes down to a normalization difference between Cloudflare’s CDN and the ChatGPT backend server. The Cloudflare CDN was setup to cache all requests under the /share/ endpoint, and the determination of whether a path matches would happen before any percent-encoded characters were decoded. On the backend however the path would be routed based on the decoded version of the URL. So a request to an endpoint like /share/%2F..%2F/api/auth/session would get cached by Cloudflare because it was under the /share/ endpoint, but the content served by ChatGPT would be from /api/auth/session which included the user’s access_token.