cbcvebase.

Binary-Husky Gpt Academic vulnerabilities

22 known vulnerabilities affecting binary-husky/binary-husky_gpt_academic.

Total CVEs
22
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
HIGH12MEDIUM10

Vulnerabilities

Page 1 of 2
CVE-2024-12389P2HIGHCVSS 8.8≥ unspecified, ≤ latest2025-03-20
CVE-2024-12389 [HIGH] CWE-29 CVE-2024-12389: A path traversal vulnerability exists in binary-husky/gpt_academic version git 310122f. The applicat A path traversal vulnerability exists in binary-husky/gpt_academic version git 310122f. The application supports the extraction of user-provided 7z files without proper validation. The Python py7zr package used for extraction does not guarantee that files will remain within the intended extraction directory. An attacker can exploit this vulnerability t
nvd
CVE-2024-12390P2HIGHCVSS 8.8≥ unspecified, ≤ latest2025-03-20
CVE-2024-12390 [HIGH] CWE-59 CVE-2024-12390: A vulnerability in binary-husky/gpt_academic version git 310122f allows for remote code execution. T A vulnerability in binary-husky/gpt_academic version git 310122f allows for remote code execution. The application supports the extraction of user-provided RAR files without proper validation. The Python rarfile module, which supports symlinks, can be exploited to perform arbitrary file writes. This can lead to remote code execution by writing to sensi
nvd
CVE-2024-10954P2HIGHCVSS 8.8≥ unspecified, ≤ latest2025-03-20
CVE-2024-10954 [HIGH] CWE-94 CVE-2024-10954: In the `manim` plugin of binary-husky/gpt_academic, versions prior to the fix, a vulnerability exist In the `manim` plugin of binary-husky/gpt_academic, versions prior to the fix, a vulnerability exists due to improper handling of user-provided prompts. The root cause is the execution of untrusted code generated by the LLM without a proper sandbox. This allows an attacker to perform remote code execution (RCE) on the app backend server by injecting ma
nvd
CVE-2024-10950P2HIGHCVSS 8.8≥ unspecified, ≤ latest2025-03-20
CVE-2024-10950 [HIGH] CWE-94 CVE-2024-10950: In binary-husky/gpt_academic version <= 3.83, the plugin `CodeInterpreter` is vulnerable to code inj In binary-husky/gpt_academic version <= 3.83, the plugin `CodeInterpreter` is vulnerable to code injection caused by prompt injection. The root cause is the execution of user-provided prompts that generate untrusted code without a sandbox, allowing the execution of parts of the LLM-generated code. This vulnerability can be exploited by an attacker to a
nvd
CVE-2024-11039P3HIGHCVSS 8.8≥ unspecified, < 91f5e6b2025-03-20
CVE-2024-11039 [HIGH] CWE-502 CVE-2024-11039: A pickle deserialization vulnerability exists in the Latex English error correction plug-in function A pickle deserialization vulnerability exists in the Latex English error correction plug-in function of binary-husky/gpt_academic versions up to and including 3.83. This vulnerability allows attackers to achieve remote command execution by deserializing untrusted data. The issue arises from the inclusion of numpy in the deserialization whitelist, whic
nvd
CVE-2024-10812P3MEDIUMCVSS 6.1PoC≥ unspecified, ≤ latest2025-03-20
CVE-2024-10812 [MEDIUM] CWE-601 CVE-2024-10812: An open redirect vulnerability exists in binary-husky/gpt_academic version 3.83. The vulnerability o An open redirect vulnerability exists in binary-husky/gpt_academic version 3.83. The vulnerability occurs when a user is redirected to a URL specified by user-controlled input in the 'file' parameter without proper validation or sanitization. This can be exploited by attackers to conduct phishing attacks, distribute malware, and steal user credentia
nvd
CVE-2024-10986P3HIGHCVSS 8.8≥ unspecified, ≤ latest2025-03-20
CVE-2024-10986 [HIGH] CWE-59 CVE-2024-10986: GPT Academic version 3.83 is vulnerable to a Local File Read (LFI) vulnerability through its HotRelo GPT Academic version 3.83 is vulnerable to a Local File Read (LFI) vulnerability through its HotReload function. This function can download and extract tar.gz files from arxiv.org. Despite implementing protections against path traversal, the application overlooks the Tarslip triggered by symlinks. This oversight allows attackers to read arbitrary local
nvd
CVE-2024-11031P3HIGHCVSS 7.5≥ unspecified, ≤ latest2025-03-20
CVE-2024-11031 [HIGH] CWE-918 CVE-2024-11031: In version 3.83 of binary-husky/gpt_academic, a Server-Side Request Forgery (SSRF) vulnerability exi In version 3.83 of binary-husky/gpt_academic, a Server-Side Request Forgery (SSRF) vulnerability exists in the Markdown_Translate.get_files_from_everything() API. This vulnerability is exploited through the HotReload(Markdown翻译中) plugin function, which allows downloading arbitrary web hosts by only checking if the link starts with 'http'. Attackers ca
nvd
CVE-2024-10100P3HIGHCVSS 7.5≥ unspecified, ≤ latest2024-10-17
CVE-2024-10100 [HIGH] CWE-22 CVE-2024-10100: A path traversal vulnerability exists in binary-husky/gpt_academic version 3.83. The vulnerability i A path traversal vulnerability exists in binary-husky/gpt_academic version 3.83. The vulnerability is due to improper handling of the file parameter, which is open to path traversal through URL encoding. This allows attackers to view any file on the host system, including sensitive files such as critical application files, SSH keys, API keys, and confi
nvd
CVE-2024-11030P3HIGHCVSS 7.5≥ unspecified, ≤ latest2025-03-20
CVE-2024-11030 [HIGH] CWE-918 CVE-2024-11030: GPT Academic version 3.83 is vulnerable to a Server-Side Request Forgery (SSRF) vulnerability throug GPT Academic version 3.83 is vulnerable to a Server-Side Request Forgery (SSRF) vulnerability through its HotReload plugin function, which calls the crazy_utils.get_files_from_everything() API without proper sanitization. This allows attackers to exploit the vulnerability to abuse the victim GPT Academic's Gradio Web server's credentials to access una
nvd
CVE-2024-12392P3MEDIUMCVSS 6.5≥ unspecified, ≤ latest2025-03-20
CVE-2024-12392 [MEDIUM] CWE-918 CVE-2024-12392: A Server-Side Request Forgery (SSRF) vulnerability exists in binary-husky/gpt_academic version git 3 A Server-Side Request Forgery (SSRF) vulnerability exists in binary-husky/gpt_academic version git 310122f. The application has a functionality to download papers from arxiv.org, but the URL validation is incomplete. An attacker can exploit this vulnerability to make the application access any URL, including internal services, and read the response.
nvd
CVE-2024-10948P3MEDIUMCVSS 6.5≥ unspecified, ≤ latest2025-03-20
CVE-2024-10948 [MEDIUM] CWE-22 CVE-2024-10948: A vulnerability in the upload function of binary-husky/gpt_academic allows any user to read arbitrar A vulnerability in the upload function of binary-husky/gpt_academic allows any user to read arbitrary files on the system, including sensitive files such as `config.py`. This issue affects the latest version of the product. An attacker can exploit this vulnerability by intercepting the websocket request during file upload and replacing the file path
nvd
CVE-2024-10714P3HIGHCVSS 7.5≥ unspecified, ≤ latest2025-03-20
CVE-2024-10714 [HIGH] CWE-770 CVE-2024-10714: A vulnerability in binary-husky/gpt_academic version 3.83 allows an attacker to cause a Denial of Se A vulnerability in binary-husky/gpt_academic version 3.83 allows an attacker to cause a Denial of Service (DoS) by adding excessive characters to the end of a multipart boundary during file upload. This results in the server continuously processing each character and displaying warnings, rendering the application inaccessible. The issue occurs when th
nvd
CVE-2024-11037P3MEDIUMCVSS 6.5≥ unspecified, ≤ latest2025-03-20
CVE-2024-11037 [MEDIUM] CWE-22 CVE-2024-11037: A path traversal vulnerability exists in binary-husky/gpt_academic at commit 679352d, which allows a A path traversal vulnerability exists in binary-husky/gpt_academic at commit 679352d, which allows an attacker to bypass the blocked_paths protection and read the config.py file containing sensitive information such as the OpenAI API key. This vulnerability is exploitable on Windows operating systems by accessing a specific URL that includes the abso
nvd
CVE-2024-11033P3MEDIUMCVSS 6.5≥ unspecified, ≤ latest2025-03-20
CVE-2024-11033 [MEDIUM] CWE-400 CVE-2024-11033: A Denial of Service (DoS) vulnerability exists in the file upload feature of binary-husky/gpt_academ A Denial of Service (DoS) vulnerability exists in the file upload feature of binary-husky/gpt_academic version 3.83. The vulnerability is due to improper handling of form-data with a large filename in the file upload request. An attacker can exploit this vulnerability by sending a payload with an excessively large filename, causing the server to bec
nvd
CVE-2024-10819P3HIGHCVSS 8.8≥ unspecified, ≤ latest2025-03-20
CVE-2024-10819 [HIGH] CWE-352 CVE-2024-10819: A Cross-Site Request Forgery (CSRF) vulnerability in version 3.83 of binary-husky/gpt_academic allow A Cross-Site Request Forgery (CSRF) vulnerability in version 3.83 of binary-husky/gpt_academic allows an attacker to trick a user into uploading files without their consent, exploiting their session. This can lead to unauthorized file uploads and potential system compromise. The uploaded file can contain malicious scripts, leading to stored Cross-Site
nvd
CVE-2024-12387P3MEDIUMCVSS 6.5≥ unspecified, ≤ latest2025-03-20
CVE-2024-12387 [MEDIUM] CWE-409 CVE-2024-12387: A vulnerability in the binary-husky/gpt_academic repository, as of commit git 3890467, allows an att A vulnerability in the binary-husky/gpt_academic repository, as of commit git 3890467, allows an attacker to crash the server by uploading a specially crafted zip bomb. The server decompresses the uploaded file and attempts to load it into memory, which can lead to an out-of-memory crash. This issue arises due to improper input validation when handl
nvd
CVE-2024-10956P4HIGHCVSS 7.1≥ unspecified, ≤ latest2025-03-20
CVE-2024-10956 [HIGH] CWE-346 CVE-2024-10956: GPT Academy version 3.83 in the binary-husky/gpt_academic repository is vulnerable to Cross-Site Web GPT Academy version 3.83 in the binary-husky/gpt_academic repository is vulnerable to Cross-Site WebSocket Hijacking (CSWSH). This vulnerability allows an attacker to hijack an existing WebSocket connection between the victim's browser and the server, enabling unauthorized actions such as deleting conversation history without the victim's consent. The
nvd
CVE-2024-12388P4MEDIUMCVSS 6.5≥ unspecified, ≤ latest2025-03-20
CVE-2024-12388 [MEDIUM] CWE-1333 CVE-2024-12388: A vulnerability in binary-husky/gpt_academic version 310122f allows for a Regular Expression Denial A vulnerability in binary-husky/gpt_academic version 310122f allows for a Regular Expression Denial of Service (ReDoS) attack. The application uses a regular expression to parse user input, which can take polynomial time to match certain crafted inputs. This allows an attacker to send a small malicious payload to the server, causing it to become unr
nvd
CVE-2025-0183P4MEDIUMCVSS 5.4≥ unspecified, ≤ latest2025-03-20
CVE-2025-0183 [MEDIUM] CWE-79 CVE-2025-0183: A stored cross-site scripting (XSS) vulnerability exists in the Latex Proof-Reading Module of binary A stored cross-site scripting (XSS) vulnerability exists in the Latex Proof-Reading Module of binary-husky/gpt_academic version 3.9.0. This vulnerability allows an attacker to inject malicious scripts into the `debug_log.html` file generated by the module. When an admin visits this debug report, the injected scripts can execute, potentially leading to
nvd
Binary-Husky Gpt Academic vulnerabilities | cvebase