CVE-2024-10954

In the `manim` plugin of binary-husky/gpt_academic, versions prior to the fix, a vulnerability exists due to improper handling of user-provided prompts. The root cause is the execution of untrusted code generated by the LLM without a proper sandbox. This allows an attacker to perform remote code execution (RCE) on the app backend server by injecting malicious code through the prompt.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

V3 Legend

Vector : AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://huntr.com/bounties/72d034e3-6ca2-495d-98a7-ac9565588c09	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:binary-husky:gpt_academic:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-03-20 10:15

Updated : 2025-10-15 13:15

NVD link : CVE-2024-10954

Mitre link : CVE-2024-10954

CVE.ORG link : CVE-2024-10954

JSON object : View

Products Affected

binary-husky

gpt_academic

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

8.8 /10