CVE-2025-10236
Published: 11 September 2025
Summary
CVE-2025-10236 is a low-severity Path Traversal (CWE-22) vulnerability in Binary-Husky Gpt Academic. Its CVSS base score is 2.1 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Direct Volume Access (T1006); ranked at the 44.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-28917
Vulnerability details
A vulnerability has been found in binary-husky gpt_academic up to 3.91. Impacted is the function merge_tex_files_ of the file crazy_functions/latex_fns/latex_toolbox.py of the component LaTeX File Handler. Such manipulation of the argument \input{} leads to path traversal. The attack may be…
more
launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal (CWE-22) via \input{} in LaTeX handler enables remote arbitrary local file read (confidentiality impact), facilitating T1006 (Direct Volume Access) as mapped by VulDB, T1005 (Data from Local System) for collection, and T1190 (Exploit Public-Facing Application) for remote exploitation.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.