CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-10986: Local File Read (LFI) by Tarslip Symlink via arxiv_download() API in binary-husky/gpt_academic

8.8 CVSS

Description

GPT Academic version 3.83 is vulnerable to a Local File Read (LFI) vulnerability through its HotReload function. This function can download and extract tar.gz files from arxiv.org. Despite implementing protections against path traversal, the application overlooks the Tarslip triggered by symlinks. This oversight allows attackers to read arbitrary local files from the victim server.

Classification

CVE ID: CVE-2024-10986

CVSS Base Severity: HIGH

CVSS Base Score: 8.8

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem Types

CWE-20 Improper Input Validation

Affected Products

Vendor: binary-husky

Product: binary-husky/gpt_academic

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.09% (probability of being exploited)

EPSS Percentile: 27.2% (scored less or equal to compared to others)

EPSS Date: 2025-04-18 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2024-10986
https://huntr.com/bounties/db2167f5-f17f-491d-aeec-69ba55bf6427

Timeline

2025-03-20 11:40:19 UTC
CVE

Local File Read (LFI) by Tarslip Symlink via arxiv_download() API in binary-husky/gpt_academic