CVE-2024-31224
Severity CVSS v4.0:
Pending analysis
Type:
CWE-502
Deserialization of Untrusted Dat
Publication date:
08/04/2024
Last modified:
04/11/2025
Description
GPT Academic provides interactive interfaces for large language models. A vulnerability was found in gpt_academic versions 3.64 through 3.73. The server deserializes untrustworthy data from the client, which may risk remote code execution. Any device that exposes the GPT Academic service to the Internet is vulnerable. Version 3.74 contains a patch for the issue. There are no known workarounds aside from upgrading to a patched version.
Impact
Base Score 3.x
9.80
Severity 3.x
CRITICAL
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:binary-husky:gpt_academic:*:*:*:*:*:*:*:* | 3.64-1 (including) | 3.74 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://github.com/binary-husky/gpt_academic/commit/8af6c0cab6d96f5c4520bec85b24802e6e823f35
- https://github.com/binary-husky/gpt_academic/pull/1648
- https://github.com/binary-husky/gpt_academic/security/advisories/GHSA-jcjc-89wr-vv7g
- https://github.com/binary-husky/gpt_academic/commit/8af6c0cab6d96f5c4520bec85b24802e6e823f35
- https://github.com/binary-husky/gpt_academic/pull/1648
- https://github.com/binary-husky/gpt_academic/security/advisories/GHSA-jcjc-89wr-vv7g