Primary

Context

Deepfiction AI Insecure Direct Object Reference Vulnerability Allowing Credit Misuse

Vulnerability

A vulnerability allowing Insecure Direct Object Reference (IDOR) has been identified in Deepfiction AI's web application, through June 3, 2025. This vulnerability enables attackers to chat with the Large Language Model (LLM) using the credits of other users. The exploitation is possible by leveraging sensitive information obtained from the '/browse/stories' endpoint.

Impact

Exploitation of this vulnerability allows for unauthorized use of other users' chat credits, enabling attackers to interact with the LLM at the expense of the affected users.

Reproduction

The vulnerability can be reproduced by accessing publicly available conversations on the Deepfiction AI website, which expose 'id' and 'author_id' fields. These fields can be used to substitute the 'treatment_id' and 'user_id' parameters in requests to the 'create-story-part' API, thereby consuming the credits of other users.

Added: Jul 22, 2025, 2:19 PM

Updated: Jul 22, 2025, 2:19 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

7.6

remediation

0.0

relevance

0.3

threat

6.4

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

7.6

remediation

0.0

relevance

0.3

threat

6.4

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Deepfiction AI Insecure Direct Object Reference Vulnerability Allowing Credit Misuse

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating