CVE-2024-10950
- Source
- https://cve.org/CVERecord?id=CVE-2024-10950
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-10950.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-10950
- Published
- 2025-03-20T10:15:22.110Z
- Modified
- 2026-04-10T05:08:12.174189Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
In binary-husky/gpt_academic version <= 3.83, the plugin
CodeInterpreteris vulnerable to code injection caused by prompt injection. The root cause is the execution of user-provided prompts that generate untrusted code without a sandbox, allowing the execution of parts of the LLM-generated code. This vulnerability can be exploited by an attacker to achieve remote code execution (RCE) on the application backend server, potentially gaining full control of the server. - References
Affected packages
Git / github.com/binary-husky/gpt_academic
Affected versions
version2.*
version2.68-3
version2.68-4
version2.7
version3.*
version3.1-2
version3.1-3
version3.15
version3.2
version3.3-3
version3.32
version3.33
version3.33-2
version3.34
version3.35
version3.36
version3.37
version3.37-2
version3.37-3
version3.37-4
version3.4
version3.4-2
version3.41-2
version3.41-3
version3.42
version3.42-2
version3.43
version3.44
version3.45
version3.47
version3.48
version3.48-1
version3.50
version3.50-1
version3.50-2
version3.52
version3.52-1
version3.53-1
version3.53-2
version3.54
version3.54-2
version3.55
version3.55-2
version3.60-1
version3.64-1
version3.70
version3.74
version3.83