Executive Summary

CVE-2025-63663 is an incorrect access control vulnerability in the GT Edge AI Platform's API endpoint `/api/v1/conversations/*/files`. This flaw allows unauthorized remote attackers who have a valid user ID to access files uploaded by other users. Essentially, the system fails to properly restrict access to user-uploaded files, enabling attackers to bypass intended access controls and retrieve sensitive data belonging to others. [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive information because attackers can access files uploaded by other users without permission. This can result in privacy breaches, data leaks, and potential misuse of confidential data, impacting user trust and possibly causing harm depending on the nature of the exposed files. [1]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to access the API endpoint `/api/v1/conversations/*/files` with a valid user ID and checking if files belonging to other users are accessible without proper authorization. A practical approach is to use tools like curl or HTTP clients to send requests to this endpoint with different conversation IDs and observe if unauthorized files are returned. For example, a command like `curl -i -H "Authorization: Bearer <valid_token>" https://<target>/api/v1/conversations/<other_user_conversation_id>/files` can be used to test if access control is enforced properly. [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade the GT Edge AI Platform to version 2.0.10 or later, where this access control vulnerability has been fixed. Until the upgrade is applied, restrict access to the vulnerable API endpoint and monitor for suspicious access patterns. Additionally, review and tighten access control policies to ensure users cannot access files belonging to others. [1]

Useful 0 Not Useful 0