CVE-2024-12389

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-12389
A path traversal vulnerability exists in binary-husky/gpt_academic version git 310122f. The application supports the extraction of user-provided 7z files without proper validation. The Python py7zr package used for extraction does not guarantee that files will remain within the intended extraction directory. An attacker can exploit this vulnerability to perform arbitrary file writes, which can lead to remote code execution.

8.8 /10

CVSS v3 : HIGH

V3 Legend

Vector : AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://huntr.com/bounties/37afb1c9-bba9-47ee-8617-a5f715271654 Exploit Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:binary-husky:gpt_academic:2024-10-15:*:*:*:*:*:*:*
History

31 Jul 2025, 19:32

Type Values Removed Values Added
First Time Binary-husky gpt Academic
Binary-husky
References () https://huntr.com/bounties/37afb1c9-bba9-47ee-8617-a5f715271654 - () https://huntr.com/bounties/37afb1c9-bba9-47ee-8617-a5f715271654 - Exploit, Third Party Advisory
CPE cpe:2.3:a:binary-husky:gpt_academic:2024-10-15:*:*:*:*:*:*:*
Summary
  • (es) Existe una vulnerabilidad de path traversal en binary-husky/gpt_academic versión git 310122f. La aplicación permite la extracción de archivos 7z proporcionados por el usuario sin la validación adecuada. El paquete Python py7zr utilizado para la extracción no garantiza que los archivos permanezcan en el directorio de extracción previsto. Un atacante puede explotar esta vulnerabilidad para realizar escrituras arbitrarias en archivos, lo que puede provocar la ejecución remota de código.

20 Mar 2025, 10:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-03-20 10:15

Updated : 2025-07-31 19:32

NVD link : CVE-2024-12389

Mitre link : CVE-2024-12389

CVE.ORG link : CVE-2024-12389

JSON object : View

Products Affected

binary-husky

  • gpt_academic
CWE
CWE-29

Path Traversal: '\..\filename'