Cyber Resilience

CVE-2024-12389

HighPublic PoC

Published: 20 March 2025

Published
20 March 2025
Modified
31 July 2025
KEV Added
Patch
CVSS Score v3 8.8 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0291 86.7th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12389 is a high-severity Path Traversal: '\..\filename' (CWE-29) vulnerability in Binary-Husky Gpt Academic. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 13.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

A path traversal vulnerability exists in binary-husky/gpt_academic version git 310122f. The application supports the extraction of user-provided 7z files without proper validation. The Python py7zr package used for extraction does not guarantee that files will remain within the intended extraction…

more

directory. An attacker can exploit this vulnerability to perform arbitrary file writes, which can lead to remote code execution.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Path traversal in user-provided 7z extraction enables arbitrary file writes outside intended directory, facilitating exploitation of public-facing applications or remote services for RCE (T1190, T1210) and deployment of web shells via file writes (T1505.003).

Affected Assets

binary-husky
gpt academic
2024-10-15

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References