CVE-2024-12390

HIGH

Binary-husky Gpt Academic - Symlink Following

Title source: rule

Description

A vulnerability in binary-husky/gpt_academic version git 310122f allows for remote code execution. The application supports the extraction of user-provided RAR files without proper validation. The Python rarfile module, which supports symlinks, can be exploited to perform arbitrary file writes. This can lead to remote code execution by writing to sensitive files such as SSH keys, crontab files, or the application's own code.

References (1)

[Exploit, Third Party Advisory] https://huntr.com/bounties/1add2b26-460d-4aa5-8fda-ab045d153177

Scores

CVSS v3 8.8

EPSS 0.0291

EPSS Percentile 86.4%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-59

Status published

Products (1)

binary-husky/gpt_academic 2024-10-15

Published Mar 20, 2025

Tracked Since Feb 18, 2026