My guess would be the response text is passed through a rudimentary templating engine that looks for { and }. Somehow it must be processing the whole chat history. The templater fails at the unexpected braces in the code block and then just gives up (probably a try-catch ignores the error and sends the message anyway).
How does this exploit work? I understand that inputs were not sanitized, but what did the injected code do?
My guess would be the response text is passed through a rudimentary templating engine that looks for
{
and}
. Somehow it must be processing the whole chat history. The templater fails at the unexpected braces in the code block and then just gives up (probably a try-catch ignores the error and sends the message anyway).