CVE-2024-12390
HIGHbinary-husky gpt_academic - Remote Code Execution via RAR File Symlink Extraction
Title source: llmDescription
A vulnerability in binary-husky/gpt_academic version git 310122f allows for remote code execution. The application supports the extraction of user-provided RAR files without proper validation. The Python rarfile module, which supports symlinks, can be exploited to perform arbitrary file writes. This can lead to remote code execution by writing to sensitive files such as SSH keys, crontab files, or the application's own code.
References (1)
Core 1
Core References
Exploit, Third Party Advisory
https://huntr.com/bounties/1add2b26-460d-4aa5-8fda-ab045d153177
Scores
CVSS v3
8.8
EPSS
0.0138
EPSS Percentile
68.4%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-59
Status
published
Products (1)
binary-husky/gpt_academic
2024-10-15
Published
Mar 20, 2025
Tracked Since
Feb 18, 2026