Gptcache
Monthly
Cache poisoning in zilliztech GPTCache (up to version 0.1.44) allows a local, low-privileged attacker to corrupt LLM response cache entries by exploiting weak image fingerprinting in the Cache Key Handler. The `BufferedReader.peek()` method in `gptcache/processor/pre.py` only reads the first ~8192 bytes of an image file to construct a cache key, meaning two distinct images sharing an identical header prefix generate the same cache key and collide. An attacker can submit a crafted image whose header matches a previously cached image, causing GPTCache to return a poisoned (wrong) LLM response for subsequent queries. Publicly available exploit code exists per the GitHub issue and included PoC; no active exploitation confirmed in CISA KEV at time of analysis.
Cache poisoning in zilliztech GPTCache (up to version 0.1.44) allows a local, low-privileged attacker to corrupt LLM response cache entries by exploiting weak image fingerprinting in the Cache Key Handler. The `BufferedReader.peek()` method in `gptcache/processor/pre.py` only reads the first ~8192 bytes of an image file to construct a cache key, meaning two distinct images sharing an identical header prefix generate the same cache key and collide. An attacker can submit a crafted image whose header matches a previously cached image, causing GPTCache to return a poisoned (wrong) LLM response for subsequent queries. Publicly available exploit code exists per the GitHub issue and included PoC; no active exploitation confirmed in CISA KEV at time of analysis.