CVE-2024-11039

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-11039
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-11039.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-11039
Published
2025-03-20T10:15:23Z
Modified
2025-03-21T01:50:28.254575Z
Summary
[none]
Details

A pickle deserialization vulnerability exists in the Latex English error correction plug-in function of binary-husky/gptacademic versions up to and including 3.83. This vulnerability allows attackers to achieve remote command execution by deserializing untrusted data. The issue arises from the inclusion of numpy in the deserialization whitelist, which can be exploited by constructing a malicious compressed package containing a mergeresult.pkl file and a mergeproofreaden.tex file. The vulnerability is fixed in commit 91f5e6b.

References

Affected packages

Git / github.com/binary-husky/gpt_academic

Affected ranges

Type
GIT
Repo
https://github.com/binary-husky/gpt_academic
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
91f5e6b8f754beb47b02f7c1893804c1c9543ccb

Affected versions

version2.*

version2.68-3
version2.68-4
version2.7

version3.*

version3.1
version3.1-2
version3.1-3
version3.15
version3.2
version3.3
version3.3-2
version3.3-3
version3.3-4
version3.32
version3.33
version3.33-2
version3.34
version3.35
version3.36
version3.37
version3.37-2
version3.37-3
version3.37-4
version3.4
version3.4-2
version3.41
version3.41-2
version3.41-3
version3.42
version3.42-2
version3.43
version3.44
version3.45
version3.47
version3.48
version3.48-1
version3.50
version3.50-1
version3.50-2
version3.50-3
version3.52
version3.52-1
version3.53
version3.53-1
version3.53-2
version3.54
version3.54-2
version3.55
version3.55-2
version3.60-1
version3.60-2
version3.60-3
version3.64-1
version3.70
version3.74
version3.75
version3.83
version3.83-fix-1
version3.90
version3.90patch1