Cyber Resilience

CVE-2024-10819

HighPublic PoC

Published: 20 March 2025

Published
20 March 2025
Modified
14 July 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0011 29.4th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-10819 is a high-severity CSRF (CWE-352) vulnerability in Binary-Husky Gpt Academic. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-10819 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, affecting version 3.83 of binary-husky/gpt_academic. The flaw allows an attacker to trick an authenticated user into uploading files without their consent by exploiting the user's active session. This enables unauthorized file uploads that can contain malicious scripts, leading to stored Cross-Site Scripting (XSS) attacks and potential system compromise.

The vulnerability can be exploited by any network-based attacker (AV:N) with no required privileges (PR:N), though it requires user interaction (UI:R) such as clicking a malicious link. Successful attacks result in unauthorized file uploads, stored XSS payloads that steal victim information, and the ability to perform arbitrary actions on the victim's behalf within the application context. The CVSS v3.1 base score is 8.8 (AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts.

Mitigation details are available in the advisory published on Huntr at https://huntr.com/bounties/45270c4b-a500-4374-a90b-37b604a3ace0. The CVE was published on 2025-03-20T10:15:20.010.

EU & UK References

Vulnerability details

A Cross-Site Request Forgery (CSRF) vulnerability in version 3.83 of binary-husky/gpt_academic allows an attacker to trick a user into uploading files without their consent, exploiting their session. This can lead to unauthorized file uploads and potential system compromise. The uploaded…

more

file can contain malicious scripts, leading to stored Cross-Site Scripting (XSS) attacks. Through stored XSS, an attacker can steal information about the victim and perform any action on their behalf.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

The CSRF vulnerability in the public-facing gpt_academic web application directly enables exploitation via T1190. The resulting unauthorized upload of malicious scripts facilitates stored XSS, allowing arbitrary JavaScript execution in the victim's browser context (T1059.007).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-11031Same product: Binary-Husky Gpt Academic
CVE-2024-11030Same product: Binary-Husky Gpt Academic
CVE-2024-10956Same product: Binary-Husky Gpt Academic
CVE-2025-25185Same product: Binary-Husky Gpt Academic
CVE-2026-0762Same product: Binary-Husky Gpt Academic
CVE-2026-0764Same product: Binary-Husky Gpt Academic
CVE-2026-0763Same product: Binary-Husky Gpt Academic
CVE-2025-28931Shared CWE-352
CVE-2025-23980Shared CWE-352
CVE-2025-23710Shared CWE-352

Affected Assets

binary-husky
gpt academic
3.83

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-23 requires mechanisms like anti-CSRF tokens to verify session authenticity, directly preventing forged requests that exploit user sessions for unauthorized file uploads.

prevent

SI-10 enforces validation of information inputs such as file uploads, blocking malicious scripts from being stored and leading to stored XSS.

prevent

SI-15 applies output filtering to prevent execution of stored XSS payloads from uploaded malicious files, mitigating information theft and unauthorized actions.

References