CVE-2024-12389
HIGHbinary-husky gpt_academic - Path Traversal and Arbitrary File Write via 7z Extraction
Title source: llmDescription
A path traversal vulnerability exists in binary-husky/gpt_academic version git 310122f. The application supports the extraction of user-provided 7z files without proper validation. The Python py7zr package used for extraction does not guarantee that files will remain within the intended extraction directory. An attacker can exploit this vulnerability to perform arbitrary file writes, which can lead to remote code execution.
References (1)
Core 1
Core References
Exploit, Third Party Advisory
https://huntr.com/bounties/37afb1c9-bba9-47ee-8617-a5f715271654
Scores
CVSS v3
8.8
EPSS
0.0138
EPSS Percentile
68.4%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-29
Status
published
Products (1)
binary-husky/gpt_academic
2024-10-15
Published
Mar 20, 2025
Tracked Since
Feb 18, 2026