CVE-2024-10948

Summary

CVE-2024-10948 is a newly discovered vulnerability affecting the latest version of binary-husky/gpt_academic. This issue lies in the upload function, allowing any user to read arbitrary files on the system, including sensitive files like `config.py`. An attacker can exploit this by intercepting the websocket request during file upload and substituting the file path with their target. The server subsequently copies the file to the `private_upload` folder and discloses the path, which can be accessed via a GET request. This vulnerability poses a significant risk, potentially exposing sensitive system files containing credentials, configuration data, or user information.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.