CVE-2024-10956
HIGHGPT Academy 3.83 - Cross-Site WebSocket Hijacking via Insufficient Origin Validation
Title source: llmDescription
GPT Academy version 3.83 in the binary-husky/gpt_academic repository is vulnerable to Cross-Site WebSocket Hijacking (CSWSH). This vulnerability allows an attacker to hijack an existing WebSocket connection between the victim's browser and the server, enabling unauthorized actions such as deleting conversation history without the victim's consent. The issue arises due to insufficient WebSocket authentication and lack of origin validation.
References (1)
Core 1
Core References
Exploit, Third Party Advisory
https://huntr.com/bounties/0f8403ad-5f60-4eb9-9f51-8fbd2e41eda4
Scores
CVSS v3
7.1
EPSS
0.0033
EPSS Percentile
24.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-346
Status
published
Products (1)
binary-husky/gpt_academic
3.83
Published
Mar 20, 2025
Tracked Since
Feb 18, 2026