CVE-2025-25185
Published: 03 March 2025
Summary
CVE-2025-25185 is a high-severity Link Following (CWE-59) vulnerability in Binary-Husky Gpt Academic. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 30.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Privacy and Disclosure risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of uploaded tar.gz archives to block malicious symlinks before decompression and file access.
Mandates identification, reporting, and correction of the specific flaw in symlink handling during archive processing.
Enforces logical access controls to prevent the application from resolving symlinks to unauthorized server files.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability in symlink handling during tar.gz upload exploitation enables arbitrary file reads from the local system (T1005) via a public-facing web application (T1190).
NVD Description
GPT Academic provides interactive interfaces for large language models. In 3.91 and earlier, GPT Academic does not properly account for soft links. An attacker can create a malicious file as a soft link pointing to a target file, then package…
more
this soft link file into a tar.gz file and upload it. Subsequently, when accessing the decompressed file from the server, the soft link will point to the target file on the victim server. The vulnerability allows attackers to read all files on the server.
Deeper analysisAI
CVE-2025-25185 is a file access vulnerability affecting GPT Academic, an open-source tool that provides interactive interfaces for large language models, in versions 3.91 and earlier. The issue arises because the application fails to properly account for soft links (symlinks) during handling of uploaded tar.gz archives. Classified under CWE-59 (Improper Link Resolution Before File Access), it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact from network-accessible exploitation with low complexity and no privileges required.
An unauthenticated attacker can exploit this vulnerability remotely by crafting a tar.gz file containing a malicious soft link that points to a target file on the victim server. After uploading the archive, the server decompresses it, and subsequent access to the symlink resolves to the targeted server file, enabling arbitrary file reads across the entire filesystem.
The GitHub security advisory (GHSA-gqp5-wm97-qxcv) and a related commit (5dffe8627f681d7006cebcba27def038bb691949) in the binary-husky/gpt_academic repository address the issue, with the commit likely implementing the fix for symlink handling during archive processing.
As GPT Academic supports interactive access to large language models, this vulnerability holds relevance for AI/ML environments where such interfaces are deployed, potentially exposing sensitive model data or configurations. No public evidence of real-world exploitation is noted in available details.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Enterprise AI Assistants
- Risk Domain
- Privacy and Disclosure
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- GPT Academic is a platform providing interactive interfaces for large language models (LLMs), fitting the Enterprise AI Assistants category as it enables user interaction with AI models in a deployed environment.