CVE-2024-11031
HIGHbinary-husky gpt_academic 3.83 - Server-Side Request Forgery via Markdown_Translate.get_files_from_everything API
Title source: llmDescription
In version 3.83 of binary-husky/gpt_academic, a Server-Side Request Forgery (SSRF) vulnerability exists in the Markdown_Translate.get_files_from_everything() API. This vulnerability is exploited through the HotReload(Markdown翻译中) plugin function, which allows downloading arbitrary web hosts by only checking if the link starts with 'http'. Attackers can exploit this vulnerability to abuse the victim GPT Academic's Gradio Web server's credentials to access unauthorized web resources.
References (1)
Core 1
Core References
Exploit, Third Party Advisory
https://huntr.com/bounties/d27d89a7-7d54-45b9-a9eb-66c00bc56e02
Scores
CVSS v3
7.5
EPSS
0.0062
EPSS Percentile
44.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-918
Status
published
Products (1)
binary-husky/gpt_academic
3.83
Published
Mar 20, 2025
Tracked Since
Feb 18, 2026