CVE-2024-12389

HIGH

Binary-husky Gpt Academic - Remote Code Execution

Title source: rule

Description

A path traversal vulnerability exists in binary-husky/gpt_academic version git 310122f. The application supports the extraction of user-provided 7z files without proper validation. The Python py7zr package used for extraction does not guarantee that files will remain within the intended extraction directory. An attacker can exploit this vulnerability to perform arbitrary file writes, which can lead to remote code execution.

References (1)

[Exploit, Third Party Advisory] https://huntr.com/bounties/37afb1c9-bba9-47ee-8617-a5f715271654

Scores

CVSS v3 8.8

EPSS 0.0291

EPSS Percentile 86.4%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-29

Status published

Products (1)

binary-husky/gpt_academic 2024-10-15

Published Mar 20, 2025

Tracked Since Feb 18, 2026