CVE-2024-12391 (GCVE-0-2024-12391)

Vulnerability from cvelistv5 – Published: 2025-03-20 10:10 – Updated: 2025-10-15 12:50
VLAI?
Summary
A vulnerability in binary-husky/gpt_academic, as of commit 310122f, allows for a Regular Expression Denial of Service (ReDoS) attack. The function '解析项目源码(手动指定和筛选源码文件类型)' permits the execution of user-provided regular expressions. Certain regular expressions can cause the Python RE engine to take exponential time to execute, leading to a Denial of Service (DoS) condition. An attacker who controls both the regular expression and the search string can exploit this vulnerability to hang the server for an arbitrary amount of time.
Severity ?
6.5 (Medium)
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE
  • CWE-1333 - Inefficient Regular Expression Complexity
Assigner
References
Impacted products
Vendor Product Version
binary-husky binary-husky/gpt_academic Affected: unspecified , ≤ latest (custom)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-12391",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-20T17:48:21.749769Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-20T18:19:59.489Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "binary-husky/gpt_academic",
          "vendor": "binary-husky",
          "versions": [
            {
              "lessThanOrEqual": "latest",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability in binary-husky/gpt_academic, as of commit 310122f, allows for a Regular Expression Denial of Service (ReDoS) attack. The function \u0027\u89e3\u6790\u9879\u76ee\u6e90\u7801\uff08\u624b\u52a8\u6307\u5b9a\u548c\u7b5b\u9009\u6e90\u7801\u6587\u4ef6\u7c7b\u578b\uff09\u0027 permits the execution of user-provided regular expressions. Certain regular expressions can cause the Python RE engine to take exponential time to execute, leading to a Denial of Service (DoS) condition. An attacker who controls both the regular expression and the search string can exploit this vulnerability to hang the server for an arbitrary amount of time."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1333",
              "description": "CWE-1333 Inefficient Regular Expression Complexity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-15T12:50:18.175Z",
        "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "shortName": "@huntr_ai"
      },
      "references": [
        {
          "url": "https://huntr.com/bounties/70b3f4f0-6b1b-4563-a18c-fe46502e6ba0"
        }
      ],
      "source": {
        "advisory": "70b3f4f0-6b1b-4563-a18c-fe46502e6ba0",
        "discovery": "EXTERNAL"
      },
      "title": "Regular Expression Denial of Service (ReDoS) in binary-husky/gpt_academic"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
    "assignerShortName": "@huntr_ai",
    "cveId": "CVE-2024-12391",
    "datePublished": "2025-03-20T10:10:33.279Z",
    "dateReserved": "2024-12-09T22:00:22.961Z",
    "dateUpdated": "2025-10-15T12:50:18.175Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-12391\",\"sourceIdentifier\":\"security@huntr.dev\",\"published\":\"2025-03-20T10:15:28.510\",\"lastModified\":\"2025-10-15T13:15:40.393\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A vulnerability in binary-husky/gpt_academic, as of commit 310122f, allows for a Regular Expression Denial of Service (ReDoS) attack. The function \u0027\u89e3\u6790\u9879\u76ee\u6e90\u7801\uff08\u624b\u52a8\u6307\u5b9a\u548c\u7b5b\u9009\u6e90\u7801\u6587\u4ef6\u7c7b\u578b\uff09\u0027 permits the execution of user-provided regular expressions. Certain regular expressions can cause the Python RE engine to take exponential time to execute, leading to a Denial of Service (DoS) condition. An attacker who controls both the regular expression and the search string can exploit this vulnerability to hang the server for an arbitrary amount of time.\"},{\"lang\":\"es\",\"value\":\"Una vulnerabilidad en binary-husky/gpt_academic, a partir de la confirmaci\u00f3n 310122f, permite un ataque de denegaci\u00f3n de servicio mediante expresiones regulares (ReDoS). La funci\u00f3n \u0027?????????????????????\u0027 permite la ejecuci\u00f3n de expresiones regulares proporcionadas por el usuario. Ciertas expresiones regulares pueden provocar que el motor de Python RE tarde exponencialmente en ejecutarse, lo que provoca una denegaci\u00f3n de servicio (DoS). Un atacante que controle tanto la expresi\u00f3n regular como la cadena de b\u00fasqueda puede explotar esta vulnerabilidad para bloquear el servidor durante un tiempo arbitrario.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"security@huntr.dev\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security@huntr.dev\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1333\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:binary-husky:gpt_academic:2024-10-15:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6B6DCF58-F2C2-4491-92A8-BAC81C60A9A4\"}]}]}],\"references\":[{\"url\":\"https://huntr.com/bounties/70b3f4f0-6b1b-4563-a18c-fe46502e6ba0\",\"source\":\"security@huntr.dev\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-12391\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-03-20T17:48:21.749769Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-03-20T17:48:23.156Z\"}}], \"cna\": {\"title\": \"Regular Expression Denial of Service (ReDoS) in binary-husky/gpt_academic\", \"source\": {\"advisory\": \"70b3f4f0-6b1b-4563-a18c-fe46502e6ba0\", \"discovery\": \"EXTERNAL\"}, \"metrics\": [{\"cvssV3_0\": {\"scope\": \"UNCHANGED\", \"version\": \"3.0\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"binary-husky\", \"product\": \"binary-husky/gpt_academic\", \"versions\": [{\"status\": \"affected\", \"version\": \"unspecified\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"latest\"}]}], \"references\": [{\"url\": \"https://huntr.com/bounties/70b3f4f0-6b1b-4563-a18c-fe46502e6ba0\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"A vulnerability in binary-husky/gpt_academic, as of commit 310122f, allows for a Regular Expression Denial of Service (ReDoS) attack. The function \u0027\\u89e3\\u6790\\u9879\\u76ee\\u6e90\\u7801\\uff08\\u624b\\u52a8\\u6307\\u5b9a\\u548c\\u7b5b\\u9009\\u6e90\\u7801\\u6587\\u4ef6\\u7c7b\\u578b\\uff09\u0027 permits the execution of user-provided regular expressions. Certain regular expressions can cause the Python RE engine to take exponential time to execute, leading to a Denial of Service (DoS) condition. An attacker who controls both the regular expression and the search string can exploit this vulnerability to hang the server for an arbitrary amount of time.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-183\", \"description\": \"CWE-183 Permissive List of Allowed Inputs\"}]}], \"providerMetadata\": {\"orgId\": \"c09c270a-b464-47c1-9133-acb35b22c19a\", \"shortName\": \"@huntr_ai\", \"dateUpdated\": \"2025-03-20T10:10:33.279Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-12391\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-03-20T18:19:59.489Z\", \"dateReserved\": \"2024-12-09T22:00:22.961Z\", \"assignerOrgId\": \"c09c270a-b464-47c1-9133-acb35b22c19a\", \"datePublished\": \"2025-03-20T10:10:33.279Z\", \"assignerShortName\": \"@huntr_ai\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.