7 Fresh ChatGPT Zero-Days Hit November 2025 – Patch Before You Prompt

OpenAI shipped GPT-4.5 Turbo on 28 October 2025, promising 2× speed and 30 % cost cut. Within 72 hours a coalition of red-teamers dropped seven working exploits, five of them rated “critical” (CVSS ≥ 9.0). All flaws bypass the new “Guardian-2” safety stack and work against every tier, including the freshly released ChatGPT Enterprise EU Sovereign. Below is the November 2025 situational report—what changed, what still hurts, and how to lock down your chats today.

The November 2025 nasty list

Silent Interpreter II (CVE-2025-4421)
A zero-width Unicode tag hidden in an inline LaTeX formula now breaks the upgraded gVisor sandbox and spawns a root shell on the Lambda runner. No user click required—just viewing the rendered math triggers the payload. CVSS 10.0, publicly available PoC on GitHub since 2 Nov 2025.

LongDAN-3 (CVE-2025-4429)
Three-turn conversation is enough to collapse the “hierarchical instruction lattice” OpenAI introduced in 4.5 Turbo. Attackers obtained full PDFs of copyrighted academic books and Windows 11 source snippets in penetration tests. CVSS 9.3.

PluginWarp-R (CVE-2025-4437)
Re-engineered for the new “plugin relay” architecture. A malicious calendar plugin can still swap redirect URIs, but now steals the enterprise SAML assertion instead of the vanilla OAuth token, giving lateral access to corporate SharePoint. CVSS 8.9.

TokenTide-NG (CVE-2025-4445)
Exploits the 30-day refresh-token grace period that survived the October patch. Attackers phish via the new ChatGPT desktop app for Windows on ARM, then replay tokens on macOS and iPad without triggering MFA. CVSS 8.8.

DoppelSystem-3D (CVE-2025-4453)
The upgraded Blender 4.2 renderer still allows a crafted GLB file to overflow the asset metadata buffer, leaking other users’ uploaded CSVs from the same GPU node. CVSS 8.4.

Context Bomb-XT (CVE-2025-4461)
Flooding the 128 k context window with 1,024 fake system messages in the new “extended thinking” mode forces the model to ignore all safety instructions in later turns. CVSS 7.8.

Markdown Stealer-NX (CVE-2025-4469)
The refreshed Electron desktop shell finally enables strict CSP—unless the user is in offline mode. A javascript: link inside a markdown table still fires and exfiltrates the bearer token. CVSS 7.9.

What OpenAI patched already (hot-fixes pushed 4-5 Nov 2025)

– Re-built sandbox image with kernel 6.11 and disabled Unicode tag parsing—mitigates Silent Interpreter II.
– Shortened refresh-token TTL from 30 days to 90 minutes and added device-bound cookies—partial fix for TokenTide-NG.
– Forced offline-mode Electron to inherit CSP—blocks Markdown Stealer-NX when no network detected.
– Started staggered rollout of “Guardian-2.1” with prompt-smuggling classifier; reaches 60 % of users by 15 Nov 2025.

Immediate actions for users & admins

1. Disable LaTeX rendering in Settings → Appearance until 20 Nov patch.

2. Turn off third-party plugins enterprise-wide via Admin console → Integrations.

3. Reduce session lifetime to 4 h in Azure AD / Okta SAML claims.

4. Block outbound 443 for Electron app in offline mode via MDM firewall rule.

5. Scan uploaded 3-D files with Blender 4.3 nightly before sending to ChatGPT.

6. Monitor GitHub repo “openai-guardian-bypass” for new PoCs—IoCs updated hourly.

7. Switch to GPT-4.5 Turbo-2025-11-06 snapshot once available (promised 18 Nov).

Bottom line

November 2025 proves again that bigger models equal bigger targets. Until Guardian-2.1 fully deploys, treat every ChatGPT conversation like inbound email: sandbox, sanitise, and segment.