CVE-2024-12389
Published: 20 March 2025
Summary
CVE-2024-12389 is a high-severity Path Traversal: '\..\filename' (CWE-29) vulnerability in Binary-Husky Gpt Academic. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 13.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-7018
Vulnerability details
A path traversal vulnerability exists in binary-husky/gpt_academic version git 310122f. The application supports the extraction of user-provided 7z files without proper validation. The Python py7zr package used for extraction does not guarantee that files will remain within the intended extraction…
more
directory. An attacker can exploit this vulnerability to perform arbitrary file writes, which can lead to remote code execution.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in user-provided 7z extraction enables arbitrary file writes outside intended directory, facilitating exploitation of public-facing applications or remote services for RCE (T1190, T1210) and deployment of web shells via file writes (T1505.003).
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.