A ChatGPT Prompt Injection Trick Let Researchers Leak Internal File Paths

There’s a quiet tension in how chatbots handle the files you upload. You can ask ChatGPT to summarize a PDF, edit a spreadsheet, or analyze an image, but you can’t download the original file back. That’s by design. But a security researcher figured out how to bypass that restriction, and the trick reveals more than just a missing download button.

Security researcher zer0dac published a detailed breakdown of the vulnerability on Medium. The core issue is a combination of two techniques: prompt injection and path traversal. Under normal conditions, when a user uploads a file to ChatGPT, the system processes the content but does not provide a way to download the original document. If you ask ChatGPT to return the file, it typically responds that the upload was temporary and the file is no longer accessible.

Zer0dac found a workaround. First, ask ChatGPT to edit the uploaded file, say converting it to a different format or making a small change. Then claim you accidentally deleted the original and ask for a download link for the edited version. In that scenario, ChatGPT generates a real URL pointing to the file on its internal servers. That URL reveals the internal API path used for file retrieval.

Once you have that path, the attack can go further. By manipulating URL parameters (a classic path traversal technique), an attacker can attempt to read files stored outside the intended directory. The server-side restrictions block access to high-value data, but even partial path disclosure gives an attacker a foothold: a known internal route, a file naming convention, a server directory structure.

Zer0dac acknowledges the limitations. ChatGPT’s sandbox prevents direct access to sensitive user data or system files. But the vulnerability functions as a useful building block in a more complex attack chain, the kind of information disclosure that, combined with another flaw, could become a real problem.

OpenAI has already patched the issue. The company changed how download URLs are generated for edited files, closing the disclosure vector. The fix was deployed before zer0dac’s public disclosure, so there was no window where users were actively exposed.

The broader takeaway is that large language models are still figuring out how to scope file access securely. ChatGPT’s file upload feature has been one of its most popular additions: people love dumping documents into the chat and asking questions, but the boundary between “process this file” and “expose this file” turned out to be thinner than it should have been. That’s the kind of edge case that only security researchers find, and that only real-world use exposes.