CVE-2024-10986

Exploit

EPSS 0.14%
Veröffentlicht 20.03.2025 10:10:55
Zuletzt bearbeitet 15.10.2025 13:15:38
Quelle security@huntr.dev
CVE-Watchlists
Login
Unerledigt
Login

GPT Academic version 3.83 is vulnerable to a Local File Read (LFI) vulnerability through its HotReload function. This function can download and extract tar.gz files from arxiv.org. Despite implementing protections against path traversal, the application overlooks the Tarslip triggered by symlinks. This oversight allows attackers to read arbitrary local files from the victim server.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Binary-husky ≫ Gpt Academic Version3.83

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.14%	0.343

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@huntr.dev	8.8	2.8	5.9	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-59 Improper Link Resolution Before File Access ('Link Following')

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

https://huntr.com/bounties/db2167f5-f17f-491d-aeec-69ba55bf6427

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2024-10986

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-10986

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-10986

EUVD