CVE-2024-10986

Source
https://cve.org/CVERecord?id=CVE-2024-10986
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-10986.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-10986
Published
2025-03-20T10:15:22.597Z
Modified
2026-04-10T05:08:12.638197Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

GPT Academic version 3.83 is vulnerable to a Local File Read (LFI) vulnerability through its HotReload function. This function can download and extract tar.gz files from arxiv.org. Despite implementing protections against path traversal, the application overlooks the Tarslip triggered by symlinks. This oversight allows attackers to read arbitrary local files from the victim server.

References

Affected packages

Git / github.com/binary-husky/gpt_academic

Affected ranges

Type
GIT
Repo
https://github.com/binary-husky/gpt_academic
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
Database specific
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "3.83"
        }
    ]
}

Affected versions

version2.*
version2.68-3
version2.68-4
version2.7
version3.*
version3.1-2
version3.1-3
version3.15
version3.2
version3.3-3
version3.32
version3.33
version3.33-2
version3.34
version3.35
version3.36
version3.37
version3.37-2
version3.37-3
version3.37-4
version3.4
version3.4-2
version3.41-2
version3.41-3
version3.42
version3.42-2
version3.43
version3.44
version3.45
version3.47
version3.48
version3.48-1
version3.50
version3.50-1
version3.50-2
version3.52
version3.52-1
version3.53-1
version3.53-2
version3.54
version3.54-2
version3.55
version3.55-2
version3.60-1
version3.64-1
version3.70
version3.74
version3.83

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-10986.json"