Key Information Summary Vulnerability Description CVE ID: CVE-2025-51867 Vulnerability Type: Insecure Direct Object Reference (IDOR) Affected System: Deepfiction AI's chat component, a web application that enables story creation through interaction with LLMs (Large Language Models). Attack Vector API Endpoint: Issue: The API relies solely on the and fields within the request body for access control. Exposed Fields: The and fields are exposed in publicly accessible conversation lists, directly corresponding to the and parameters expected by the API. Attack Method: Attackers can substitute the leaked (as ) and (as ) into API requests, thereby interacting with the LLM using another user’s credits. Impact User Impact: Any user of may be affected. Users’ chat credits may be abused, leading to unauthorized LLM interactions. Data Disclosure Risk: Network traffic analysis (e.g., via packet capture) can reveal specific character configurations (character settings) for each role. These configurations resemble system prompts and represent critical system resources for the LLM ChatBot. This exposure may also constitute sensitive data leakage, as it could disclose proprietary prompt engineering details or character definitions. Image Evidence Three image files (figure1.png, figure2.png, figure3.png) are provided as proof of the vulnerability, demonstrating the PoC (Proof of Concept) and network traffic analysis results.