CVE-2024-10986

Source
https://cve.org/CVERecord?id=CVE-2024-10986
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-10986.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-10986
Published
2025-03-20T10:10:55.368Z
Modified
2026-07-08T08:11:42.049247143Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Local File Read (LFI) by Tarslip Symlink via arxiv_download() API in binary-husky/gpt_academic
Details

GPT Academic version 3.83 is vulnerable to a Local File Read (LFI) vulnerability through its HotReload function. This function can download and extract tar.gz files from arxiv.org. Despite implementing protections against path traversal, the application overlooks the Tarslip triggered by symlinks. This oversight allows attackers to read arbitrary local files from the victim server.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/10xxx/CVE-2024-10986.json",
    "cna_assigner": "@huntr_ai",
    "cwe_ids": [
        "CWE-59"
    ]
}
References

Affected packages

Git / github.com/binary-husky/gpt_academic

Affected ranges

Type
GIT
Repo
https://github.com/binary-husky/gpt_academic
Events
Database specific
{
    "source": "CPE_STRING",
    "cpe": "cpe:2.3:a:binary-husky:gpt_academic:3.83:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "3.83"
        },
        {
            "last_affected": "3.83"
        }
    ]
}

Affected versions

3.*
3.83
version3.*
version3.83

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-10986.json"