Summary

ChatGPT's Agent mode can use a browser inside a remote VM (just like Operator). file:///home/oai/redirect.html is a file available in the remote VM by default, and it has an XSS through the target parameter.

<!--
Sample payload:
file:///home/oai/redirect.html?target=javascript:alert(location.href)
-->
<!DOCTYPE html>
<html>
<head>
  <meta charset="utf-8">
  <!-- This is a sentinel value detected in code, and should not be changed -->
  <title>file:///home/oai/redirect.html</title>
  <script>
    const t = new URLSearchParams(location.search).get("target");
    if (t) setTimeout(() => location.replace(t), 0);
  </script>
</head>
<body>
  The page contents are still loading. Open the page again to see them.
</body>
</html>

Agent mode has an improved agency, and therefore it can be easily convinced to open a file:// URL by linking a file:// URL inside a webpage.

There are 2 ways to exploit this vulnerability.

1. Find a sensitive local file whose content is also a valid JS. In which case, this might result in XSSI.
2. Advanced attackers can use SpectreJS, to read any local file by loading it as a subresource (image, script, etc).

Severity

Moderate - An attacker with a SpectreJS exploit can read arbitrary local files in the victim's remote VM for Agent mode.

Proof of Concept

<a href="file:///home/oai/redirect.html?target=javascript:alert(location.href)">Click here</a> to see the page content.

video

Timeline

Date reported: 08/01/2025
Date fixed: 08/07/2025
Date disclosed: 09/08/2025