FKIE_CVE-2024-31224

Vulnerability from fkie_nvd - Published: 2024-04-08 16:15 - Updated: 2026-06-17 07:28
Severity
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
GPT Academic provides interactive interfaces for large language models. A vulnerability was found in gpt_academic versions 3.64 through 3.73. The server deserializes untrustworthy data from the client, which may risk remote code execution. Any device that exposes the GPT Academic service to the Internet is vulnerable. Version 3.74 contains a patch for the issue. There are no known workarounds aside from upgrading to a patched version.
References
security-advisories@github.comhttps://github.com/binary-husky/gpt_academic/commit/8af6c0cab6d96f5c4520bec85b24802e6e823f35Patch
security-advisories@github.comhttps://github.com/binary-husky/gpt_academic/pull/1648Issue Tracking
security-advisories@github.comhttps://github.com/binary-husky/gpt_academic/security/advisories/GHSA-jcjc-89wr-vv7gVendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/binary-husky/gpt_academic/commit/8af6c0cab6d96f5c4520bec85b24802e6e823f35Patch
af854a3a-2127-422b-91ae-364da2661108https://github.com/binary-husky/gpt_academic/pull/1648Issue Tracking
af854a3a-2127-422b-91ae-364da2661108https://github.com/binary-husky/gpt_academic/security/advisories/GHSA-jcjc-89wr-vv7gVendor Advisory
Impacted products
Vendor Product Version
binary-husky gpt_academic *
To clipboard 

{
  "affected": [
    {
      "affectedData": [
        {
          "product": "gpt_academic",
          "vendor": "binary-husky",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 3.64, \u003c 3.74"
            }
          ]
        }
      ],
      "source": "security-advisories@github.com"
    },
    {
      "affectedData": [
        {
          "cpes": [
            "cpe:2.3:a:binary-husky:gpt_academic:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unknown",
          "product": "gpt_academic",
          "vendor": "binary-husky",
          "versions": [
            {
              "lessThan": "3.74",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:binary-husky:gpt_academic:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "9E52CA9B-9841-41A1-AF7E-75F928D3AD26",
              "versionEndExcluding": "3.74",
              "versionStartIncluding": "3.64-1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "GPT Academic provides interactive interfaces for large language models. A vulnerability was found in gpt_academic versions 3.64 through 3.73. The server deserializes untrustworthy data from the client, which may risk remote code execution. Any device that exposes the GPT Academic service to the Internet is vulnerable. Version 3.74 contains a patch for the issue. There are no known workarounds aside from upgrading to a patched version."
    },
    {
      "lang": "es",
      "value": "GPT Academic proporciona interfaces interactivas para modelos de lenguaje grandes. Se encontr\u00f3 una vulnerabilidad en las versiones 3.64 a 3.73 de gpt_academic. El servidor deserializa datos no confiables del cliente, lo que puede poner en riesgo la ejecuci\u00f3n remota de c\u00f3digo. Cualquier dispositivo que exponga el servicio GPT Academic a Internet es vulnerable. La versi\u00f3n 3.74 contiene un parche para el problema. No se conocen workarounds aparte de actualizar a una versi\u00f3n parcheada."
    }
  ],
  "id": "CVE-2024-31224",
  "lastModified": "2026-06-17T07:28:00.823",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ],
    "ssvcV203": [
      {
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "ssvcData": {
          "id": "CVE-2024-31224",
          "options": [
            {
              "exploitation": "none"
            },
            {
              "automatable": "yes"
            },
            {
              "technicalImpact": "total"
            }
          ],
          "role": "CISA Coordinator",
          "timestamp": "2024-04-09T15:55:23.348163Z",
          "version": "2.0.3"
        }
      }
    ]
  },
  "published": "2024-04-08T16:15:07.790",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/binary-husky/gpt_academic/commit/8af6c0cab6d96f5c4520bec85b24802e6e823f35"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/binary-husky/gpt_academic/pull/1648"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/binary-husky/gpt_academic/security/advisories/GHSA-jcjc-89wr-vv7g"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/binary-husky/gpt_academic/commit/8af6c0cab6d96f5c4520bec85b24802e6e823f35"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/binary-husky/gpt_academic/pull/1648"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/binary-husky/gpt_academic/security/advisories/GHSA-jcjc-89wr-vv7g"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-502"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.