In the `manim` plugin of binary-husky/gpt_academic, versions prior to the fix, a vulnerability exists due to improper handling of user-provided prompts. The root cause is the execution of untrusted code generated by the LLM without a proper sandbox. This allows an attacker to perform remote code execution (RCE) on the app backend server by injecting malicious code through the prompt.
CVE ID: CVE-2024-10954
CVSS Base Severity: HIGH
CVSS Base Score: 8.8
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Vendor: binary-husky
Product: binary-husky/gpt_academic
EPSS Score: 0.44% (probability of being exploited)
EPSS Percentile: 61.79% (scored less or equal to compared to others)
EPSS Date: 2025-04-18 (when was this score calculated)