CVE-2024-10819
Published: 20 March 2025
Summary
CVE-2024-10819 is a high-severity CSRF (CWE-352) vulnerability in Binary-Husky Gpt Academic. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SC-23 requires mechanisms like anti-CSRF tokens to verify session authenticity, directly preventing forged requests that exploit user sessions for unauthorized file uploads.
SI-10 enforces validation of information inputs such as file uploads, blocking malicious scripts from being stored and leading to stored XSS.
SI-15 applies output filtering to prevent execution of stored XSS payloads from uploaded malicious files, mitigating information theft and unauthorized actions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CSRF vulnerability in the public-facing gpt_academic web application directly enables exploitation via T1190. The resulting unauthorized upload of malicious scripts facilitates stored XSS, allowing arbitrary JavaScript execution in the victim's browser context (T1059.007).
NVD Description
A Cross-Site Request Forgery (CSRF) vulnerability in version 3.83 of binary-husky/gpt_academic allows an attacker to trick a user into uploading files without their consent, exploiting their session. This can lead to unauthorized file uploads and potential system compromise. The uploaded…
more
file can contain malicious scripts, leading to stored Cross-Site Scripting (XSS) attacks. Through stored XSS, an attacker can steal information about the victim and perform any action on their behalf.
Deeper analysisAI
CVE-2024-10819 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, affecting version 3.83 of binary-husky/gpt_academic. The flaw allows an attacker to trick an authenticated user into uploading files without their consent by exploiting the user's active session. This enables unauthorized file uploads that can contain malicious scripts, leading to stored Cross-Site Scripting (XSS) attacks and potential system compromise.
The vulnerability can be exploited by any network-based attacker (AV:N) with no required privileges (PR:N), though it requires user interaction (UI:R) such as clicking a malicious link. Successful attacks result in unauthorized file uploads, stored XSS payloads that steal victim information, and the ability to perform arbitrary actions on the victim's behalf within the application context. The CVSS v3.1 base score is 8.8 (AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts.
Mitigation details are available in the advisory published on Huntr at https://huntr.com/bounties/45270c4b-a500-4374-a90b-37b604a3ace0. The CVE was published on 2025-03-20T10:15:20.010.
Details
- CWE(s)