Cyber Resilience

CVE-2025-25185

HighPublic PoC

Published: 03 March 2025

Published
03 March 2025
Modified
07 March 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0059 69.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-25185 is a high-severity Link Following (CWE-59) vulnerability in Binary-Husky Gpt Academic. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 30.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the Privacy and Disclosure risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-25185 is a file access vulnerability affecting GPT Academic, an open-source tool that provides interactive interfaces for large language models, in versions 3.91 and earlier. The issue arises because the application fails to properly account for soft links (symlinks) during handling of uploaded tar.gz archives. Classified under CWE-59 (Improper Link Resolution Before File Access), it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact from network-accessible exploitation with low complexity and no privileges required.

An unauthenticated attacker can exploit this vulnerability remotely by crafting a tar.gz file containing a malicious soft link that points to a target file on the victim server. After uploading the archive, the server decompresses it, and subsequent access to the symlink resolves to the targeted server file, enabling arbitrary file reads across the entire filesystem.

The GitHub security advisory (GHSA-gqp5-wm97-qxcv) and a related commit (5dffe8627f681d7006cebcba27def038bb691949) in the binary-husky/gpt_academic repository address the issue, with the commit likely implementing the fix for symlink handling during archive processing.

As GPT Academic supports interactive access to large language models, this vulnerability holds relevance for AI/ML environments where such interfaces are deployed, potentially exposing sensitive model data or configurations. No public evidence of real-world exploitation is noted in available details.

EU & UK References

Vulnerability details

GPT Academic provides interactive interfaces for large language models. In 3.91 and earlier, GPT Academic does not properly account for soft links. An attacker can create a malicious file as a soft link pointing to a target file, then package…

more

this soft link file into a tar.gz file and upload it. Subsequently, when accessing the decompressed file from the server, the soft link will point to the target file on the victim server. The vulnerability allows attackers to read all files on the server.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
Privacy and Disclosure
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: gpt

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability in symlink handling during tar.gz upload exploitation enables arbitrary file reads from the local system (T1005) via a public-facing web application (T1190).

CVEs Like This One

CVE-2024-10956Same product: Binary-Husky Gpt Academic
CVE-2024-11030Same product: Binary-Husky Gpt Academic
CVE-2024-11031Same product: Binary-Husky Gpt Academic
CVE-2024-10819Same product: Binary-Husky Gpt Academic
CVE-2026-0762Same product: Binary-Husky Gpt Academic
CVE-2026-0764Same product: Binary-Husky Gpt Academic
CVE-2026-0763Same product: Binary-Husky Gpt Academic
CVE-2026-31894Shared CWE-59
CVE-2026-32013Shared CWE-59
CVE-2026-32024Shared CWE-59

Affected Assets

binary-husky
gpt academic
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of uploaded tar.gz archives to block malicious symlinks before decompression and file access.

prevent

Mandates identification, reporting, and correction of the specific flaw in symlink handling during archive processing.

prevent

Enforces logical access controls to prevent the application from resolving symlinks to unauthorized server files.

References