CVE-2024-10950: Code Injection in binary-husky/gpt_academic
Description
In binary-husky/gpt_academic version <= 3.83, the plugin `CodeInterpreter` is vulnerable to code injection caused by prompt injection. The root cause is the execution of user-provided prompts that generate untrusted code without a sandbox, allowing the execution of parts of the LLM-generated code. This vulnerability can be exploited by an attacker to achieve remote code execution (RCE) on the application backend server, potentially gaining full control of the server.
Classification
CVE ID: CVE-2024-10950
CVSS Base Severity: HIGH
CVSS Base Score: 8.8
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Problem Types
CWE-94 Improper Control of Generation of CodeAffected Products
Vendor: binary-husky
Product: binary-husky/gpt_academic
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.44% (probability of being exploited)
EPSS Percentile: 61.79% (scored less or equal to compared to others)
EPSS Date: 2025-04-18 (when was this score calculated)
References
https://nvd.nist.gov/vuln/detail/CVE-2024-10950https://huntr.com/bounties/9abb1617-0c1d-42c7-a647-d9d2b39c6866