A security researcher discovered that OpenAI’s ChatGPT could be tricked into permanently storing false information in a user’s long-term memory — all through a single malicious hyperlink. The vulnerability, a server-side request forgery flaw chained with the platform’s persistent memory feature, sat unpatched for more than two months after it was first reported. OpenAI finally issued a fix in late February 2025, but the episode raises uncomfortable questions about how quickly AI companies respond to security threats that target the very features they’re racing to ship.
The flaw was uncovered by Johann Rehberger, a security researcher who has made a habit of probing the boundaries of large language model integrations. Rehberger found that by crafting a specially designed URL and getting ChatGPT to fetch it — something the model does routinely when users share links — an attacker could inject instructions that would be written directly into ChatGPT’s persistent memory. That memory, a feature OpenAI introduced in early 2024 to let ChatGPT remember details about users across conversations, became the attack surface. As The Hacker News reported, the vulnerability was tracked as CVE-2025-0845 and carried a medium-severity CVSS score of 6.5.
Here’s what made it dangerous. ChatGPT’s memory feature is designed to accumulate facts about a user — their name, preferences, job, coding habits — and carry those facts forward into every future conversation. Once poisoned, that memory would influence every subsequent interaction. The injected data didn’t just sit inertly. It actively shaped ChatGPT’s responses, potentially feeding users false information, biased outputs, or subtly manipulated advice without any visible indication that something had gone wrong.
The attack chain worked like this: an attacker hosts a malicious webpage containing hidden prompt injection instructions. The victim pastes the URL into ChatGPT or asks the model to summarize the page. ChatGPT fetches the content via its server-side browsing capability, processes the hidden instructions, and writes attacker-controlled data into the victim’s persistent memory. No additional interaction required.
Rehberger first reported the issue to OpenAI in late 2024. The company’s initial response, according to his public disclosure, classified it as a “safety” issue rather than a security vulnerability — a distinction that effectively deprioritized it. Rehberger pushed back, demonstrating a proof-of-concept that showed data exfiltration was possible through the same vector. OpenAI eventually acknowledged the severity and deployed a partial fix, but the full patch for the memory injection component didn’t land until February 2025.
That timeline matters.
Two months is a long window for a vulnerability that requires nothing more than a user clicking a link — something that happens millions of times a day inside ChatGPT conversations. And the classification dispute points to a broader tension within AI companies between safety teams focused on model behavior (hallucinations, bias, harmful content) and security teams focused on traditional software vulnerabilities (injection, SSRF, authentication bypass). These are different disciplines with different urgency frameworks, and when a bug falls in the gap between them, response times suffer.
The server-side request forgery component of the attack is a well-understood class of web vulnerability. SSRF flaws allow an attacker to make a server issue requests to unintended destinations — in this case, to fetch content containing prompt injection payloads. What’s novel here is the combination: SSRF plus prompt injection plus persistent memory creates a chain where a single interaction can permanently compromise a user’s AI assistant. The persistence is what elevates this from a nuisance to a genuine threat. Traditional prompt injection attacks reset when a conversation ends. This one doesn’t.
OpenAI’s memory feature launched with guardrails. Users can review and delete stored memories. The system is supposed to ask for confirmation before storing certain types of information. But Rehberger’s exploit bypassed those controls entirely because the injection occurred at a layer below the user-facing interface — through the content fetching mechanism rather than through direct conversation. The model didn’t “ask” to store the memory. It just did.
Security researchers on X have pointed out that this vulnerability is symptomatic of a pattern. As AI companies bolt on new capabilities — web browsing, code execution, file analysis, persistent memory, tool use — each new feature introduces attack surface that doesn’t map neatly onto existing security models. A web application firewall won’t catch a prompt injection hidden in a webpage’s HTML comments. Traditional input validation doesn’t apply when the “input” is natural language processed by a neural network. And memory features, by design, create state that persists across sessions — exactly the kind of foothold attackers prize.
The CVSS score of 6.5 rated it medium severity, which some in the security community have argued undersells the real-world impact. A compromised memory could, for instance, convince ChatGPT that a user prefers a specific software library (one with known vulnerabilities), that they work at a different company, or that certain security practices are unnecessary. For developers who use ChatGPT as a coding assistant — and there are millions of them — poisoned memories could lead to subtly insecure code suggestions delivered with the model’s characteristic confidence.
OpenAI has not publicly commented in detail on the vulnerability beyond confirming the patch. The company’s security page notes its bug bounty program and encourages responsible disclosure, but the months-long gap between report and fix suggests that the internal triage process for this class of hybrid AI-security vulnerability is still maturing.
This isn’t the first time Rehberger has found memory-related vulnerabilities in ChatGPT. In September 2024, he demonstrated a separate attack that could exfiltrate user data through the memory feature, which OpenAI also patched after initial pushback. The recurrence suggests that persistent memory remains an under-hardened feature — one that OpenAI shipped to enhance user experience but hasn’t yet fully stress-tested against adversarial inputs.
And the problem isn’t unique to OpenAI. Google’s Gemini, Anthropic’s Claude, and other AI assistants are all adding memory and personalization features. Each implementation carries similar risks. If an AI assistant remembers things about you, the integrity of those memories becomes a security-critical property. Corrupt the memory, corrupt the assistant.
So where does this leave enterprise users? Organizations deploying ChatGPT through OpenAI’s API or enterprise tier should audit whether memory features are enabled by default and whether they’re necessary for their use case. Disabling persistent memory eliminates this attack vector entirely, though it sacrifices the convenience the feature provides. For individual users, periodically reviewing stored memories — accessible through ChatGPT’s settings — is a reasonable precaution, though it requires knowing what to look for.
The broader lesson is structural. AI capabilities are shipping faster than AI security practices can mature. Features like persistent memory, web browsing, and tool use transform a language model from a stateless text generator into a stateful agent with access to external systems and long-term knowledge about its user. Each of those properties is a gift to attackers if not properly secured. And the security community’s existing toolkit — built for web apps, APIs, and operating systems — doesn’t yet fully cover the threat models that emerge when the application layer is a neural network interpreting natural language.
OpenAI patched this one. But the next vulnerability in this class is likely already being probed. The question is whether AI companies will treat these hybrid flaws with the urgency they deserve, or continue sorting them into bureaucratic categories that delay response. For a company valued at over $300 billion and serving hundreds of millions of users, two months is too long to leave a one-click memory corruption bug in the wild.
The fix is in. The lesson shouldn’t take as long to land.


WebProNews is an iEntry Publication