ChatGPT Agent - XSS on file://home/oai/redirect.html

**security-research** Public

# ChatGPT Agent – XSS on file://home/oai/redirect.html

## Package

ChatGPT Agent (OpenAI)

## Affected versions

SaaS

## Patched versions

None

## Description

### Summary

ChatGPT’s Agent mode can use a browser inside a remote VM (just like Operator). `file:///home/oai/redirect.html` is a file available in the remote VM by default, and it has an XSS through the target parameter.

“`
file:///home/oai/redirect.html The page contents are still loading. Open the page again to see them.
“`

Agent mode has an improved agency, and therefore it can be easily convinced to open a file:// URL by linking a file:// URL inside a webpage.

There are 2 ways to exploit this vulnerability.

1. Find a sensitive local file whose content is also a valid JS. In which case, this might result in XSSI.
2. Advanced attackers can use SpectreJS, to read any local file by loading it as a subresource (image, script, etc).

### Severity

Moderate – An attacker with a SpectreJS exploit can read arbitrary local files in the victim’s remote VM for Agent mode.

### Proof of Concept

“`
Click here to see the page content.
“`

### Timeline

**Date reported**: 08/01/2025

**Date fixed**: 08/07/2025

**Date disclosed**: 09/08/2025

Recent posts