CVE-2024-12392 MEDIUM

CVE-2024-12392: Server-Side Request Forgery (SSRF) in binary-husky/gpt_academic

Vendor Binary-Husky
Product binary-husky/gpt_academic
Weakness CWE-918 · SSRF
Published March 20, 2025
Last update March 20, 2025

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

A Server-Side Request Forgery (SSRF) vulnerability exists in binary-husky/gpt_academic version git 310122f. The application has a functionality to download papers from arxiv.org, but the URL validation is incomplete. An attacker can exploit this vulnerability to make the application access any URL, including internal services, and read the response. This can be used to access data that are only accessible from the server, such as AWS metadata credentials, and can escalate local exploits to network-based attacks.

Key dates

02Disclosure timeline

March 20, 2025 CVE published
March 20, 2025 Record updated