ChatGPT Telemetry Crashes on Invalid Input (Yes, Really)
Source: Dev.to
Overview
Everyone says telemetry “doesn’t matter” — until it starts returning 500 Internal Server Error.
I pointed Rentgen at one of ChatGPT’s internal telemetry endpoints (the one triggered when you click Copy under a message). I copied the cURL request straight from the browser and fed it to Rentgen, then let Rentgen mutate the inputs.
Findings
- Invalid UUIDs in otherwise valid JSON strings consistently triggered 500 errors.
- Cyrillic characters → 500
- Accented letters → 500
- Random symbols → 500
Even more interesting:
- Supplying numbers or booleans returned 422, indicating that type‑level validation exists.
- When the value is a string, the server proceeds to runtime and crashes.
What this means
- The endpoint does not treat malformed input as a client error.
- A 500 response caused by bad client input is a validation bug, not an acceptable failure mode.
Implications
Telemetry endpoints are called automatically, frequently, and by uncontrolled clients. If malformed input can crash them, they become a stability and DoS risk waiting to be discovered the hard way.
- 400 or 422 responses are appropriate for client‑side errors.
- 500 responses should never be caused by bad client input.
How the issue was discovered
The entire discovery took:
- One copied cURL request.
- About a minute of basic negative testing with Rentgen.
No fuzzing framework, no AI magic—just straightforward testing that many teams skip because “nothing broke”.
Conclusion
This is a clear example of why tools like Rentgen exist: they expose validation bugs that can lead to crashes in seemingly innocuous telemetry endpoints.
Full breakdown, screenshots, and details here:
👉