CVE-2026-7223

Summary

A vulnerability was identified in BigSweetPotatoStudio HyperChat up to 2.0.0-alpha.63. Affected by this issue is the function fetch of the file packages/core/src/http/aiProxyMiddleware.mts of the component AI Proxy Middleware. Such manipulation of the argument baseurl leads to server-side request forgery. The attack can be launched remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.

Affected Software

VendorProductVersion RangeStatus
BigSweetPotatoStudioHyperChat2.0.0-alpha.0affected
BigSweetPotatoStudioHyperChat2.0.0-alpha.1affected
BigSweetPotatoStudioHyperChat2.0.0-alpha.2affected
BigSweetPotatoStudioHyperChat2.0.0-alpha.3affected
BigSweetPotatoStudioHyperChat2.0.0-alpha.4affected
BigSweetPotatoStudioHyperChat2.0.0-alpha.5affected
BigSweetPotatoStudioHyperChat2.0.0-alpha.6affected
BigSweetPotatoStudioHyperChat2.0.0-alpha.7affected
BigSweetPotatoStudioHyperChat2.0.0-alpha.8affected
BigSweetPotatoStudioHyperChat2.0.0-alpha.9affected
BigSweetPotatoStudioHyperChat2.0.0-alpha.10affected
BigSweetPotatoStudioHyperChat2.0.0-alpha.11affected
BigSweetPotatoStudioHyperChat2.0.0-alpha.12affected
BigSweetPotatoStudioHyperChat2.0.0-alpha.13affected
BigSweetPotatoStudioHyperChat2.0.0-alpha.14affected
BigSweetPotatoStudioHyperChat2.0.0-alpha.15affected
BigSweetPotatoStudioHyperChat2.0.0-alpha.16affected
BigSweetPotatoStudioHyperChat2.0.0-alpha.17affected
BigSweetPotatoStudioHyperChat2.0.0-alpha.18affected
BigSweetPotatoStudioHyperChat2.0.0-alpha.19affected
BigSweetPotatoStudioHyperChat2.0.0-alpha.20affected
BigSweetPotatoStudioHyperChat2.0.0-alpha.21affected
BigSweetPotatoStudioHyperChat2.0.0-alpha.22affected
BigSweetPotatoStudioHyperChat2.0.0-alpha.23affected
BigSweetPotatoStudioHyperChat2.0.0-alpha.24affected
BigSweetPotatoStudioHyperChat2.0.0-alpha.25affected
BigSweetPotatoStudioHyperChat2.0.0-alpha.26affected
BigSweetPotatoStudioHyperChat2.0.0-alpha.27affected
BigSweetPotatoStudioHyperChat2.0.0-alpha.28affected
BigSweetPotatoStudioHyperChat2.0.0-alpha.29affected
BigSweetPotatoStudioHyperChat2.0.0-alpha.30affected
BigSweetPotatoStudioHyperChat2.0.0-alpha.31affected
BigSweetPotatoStudioHyperChat2.0.0-alpha.32affected
BigSweetPotatoStudioHyperChat2.0.0-alpha.33affected
BigSweetPotatoStudioHyperChat2.0.0-alpha.34affected
BigSweetPotatoStudioHyperChat2.0.0-alpha.35affected
BigSweetPotatoStudioHyperChat2.0.0-alpha.36affected
BigSweetPotatoStudioHyperChat2.0.0-alpha.37affected
BigSweetPotatoStudioHyperChat2.0.0-alpha.38affected
BigSweetPotatoStudioHyperChat2.0.0-alpha.39affected
BigSweetPotatoStudioHyperChat2.0.0-alpha.40affected
BigSweetPotatoStudioHyperChat2.0.0-alpha.41affected
BigSweetPotatoStudioHyperChat2.0.0-alpha.42affected
BigSweetPotatoStudioHyperChat2.0.0-alpha.43affected
BigSweetPotatoStudioHyperChat2.0.0-alpha.44affected
BigSweetPotatoStudioHyperChat2.0.0-alpha.45affected
BigSweetPotatoStudioHyperChat2.0.0-alpha.46affected
BigSweetPotatoStudioHyperChat2.0.0-alpha.47affected
BigSweetPotatoStudioHyperChat2.0.0-alpha.48affected
BigSweetPotatoStudioHyperChat2.0.0-alpha.49affected
BigSweetPotatoStudioHyperChat2.0.0-alpha.50affected
BigSweetPotatoStudioHyperChat2.0.0-alpha.51affected
BigSweetPotatoStudioHyperChat2.0.0-alpha.52affected
BigSweetPotatoStudioHyperChat2.0.0-alpha.53affected
BigSweetPotatoStudioHyperChat2.0.0-alpha.54affected
BigSweetPotatoStudioHyperChat2.0.0-alpha.55affected
BigSweetPotatoStudioHyperChat2.0.0-alpha.56affected
BigSweetPotatoStudioHyperChat2.0.0-alpha.57affected
BigSweetPotatoStudioHyperChat2.0.0-alpha.58affected
BigSweetPotatoStudioHyperChat2.0.0-alpha.59affected
BigSweetPotatoStudioHyperChat2.0.0-alpha.60affected
BigSweetPotatoStudioHyperChat2.0.0-alpha.61affected
BigSweetPotatoStudioHyperChat2.0.0-alpha.62affected
BigSweetPotatoStudioHyperChat2.0.0-alpha.63affected

Weaknesses

  • CWE-918: Server-Side Request Forgery

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

References