CVE-2024-10956 HIGH

CVE-2024-10956: Cross-Site WebSocket Hijacking in binary-husky/gpt_academic

Vendor Binary-Husky
Product binary-husky/gpt_academic
Weakness CWE-346 · Origin validation
Published March 20, 2025
Last update July 15, 2025

CVSS base score

7.6/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L

What the vulnerability does

01Description

GPT Academy version 3.83 in the binary-husky/gpt_academic repository is vulnerable to Cross-Site WebSocket Hijacking (CSWSH). This vulnerability allows an attacker to hijack an existing WebSocket connection between the victim's browser and the server, enabling unauthorized actions such as deleting conversation history without the victim's consent. The issue arises due to insufficient WebSocket authentication and lack of origin validation.

Key dates

02Disclosure timeline

March 20, 2025 CVE published
July 15, 2025 Record updated