Platform
python
Component
binary-husky/gpt_academic
A Server-Side Request Forgery (SSRF) vulnerability has been identified in gptacademic versions up to the latest release. This flaw resides within the MarkdownTranslate.getfilesfrom_everything() API, specifically exploited through the HotReload(Markdown翻译中) plugin function. Successful exploitation allows an attacker to leverage the victim's Gradio Web server credentials to access unauthorized web resources, potentially leading to data exfiltration or further system compromise.
The SSRF vulnerability in gpt_academic presents a significant risk because it allows attackers to bypass security controls and access internal resources. By exploiting the HotReload plugin, an attacker can craft malicious requests that the server will execute, effectively acting as the server itself. This can lead to the exposure of sensitive data, such as API keys, database credentials, or internal network configurations. Furthermore, an attacker could potentially use the compromised server as a launchpad for lateral movement within the network, gaining access to other systems and data. The lack of proper input validation on the URL allows for arbitrary hostnames to be specified, greatly expanding the potential attack surface.
The vulnerability was publicly disclosed on 2025-03-20. Currently, there are no known active campaigns exploiting this specific SSRF vulnerability. Public proof-of-concept (POC) code is not yet available, but the ease of exploitation suggests that it is likely to emerge. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.07% (21% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-11031 is to upgrade to a patched version of gptacademic as soon as it becomes available. Until a patch is deployed, implement temporary workarounds to reduce the attack surface. These include configuring a Web Application Firewall (WAF) to block requests containing suspicious URLs or patterns. Network segmentation can also limit the potential impact by isolating the gptacademic server from sensitive internal resources. Implement strict URL validation within the HotReload plugin to ensure that only trusted domains are accessed. Consider disabling the HotReload plugin entirely if it is not essential for the application's functionality.
Update to the latest version of gpt_academic. As no specific fixed version is specified, ensure you obtain the most recent version from the repository or package. This should include the fix for the SSRF vulnerability.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-11031 is a Server-Side Request Forgery (SSRF) vulnerability in gpt_academic versions up to the latest, allowing attackers to access unauthorized web resources through the HotReload plugin.
If you are using gpt_academic versions ≤latest, you are potentially affected by this SSRF vulnerability. Upgrade as soon as a patch is available.
The primary fix is to upgrade to a patched version of gpt_academic. Until then, implement WAF rules and network segmentation as temporary mitigations.
Currently, there are no confirmed reports of active exploitation, but the vulnerability's ease of exploitation suggests it may be targeted in the future.
Refer to the binary-husky project's official channels (GitHub repository, website) for the latest advisory and patch information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.