Unrated severityNVD Advisory· Published Mar 3, 2025· Updated Mar 3, 2025

GPT Academic allows arbitary file read by tarfile uncompress within softlink

CVE-2025-25185

Description

GPT Academic provides interactive interfaces for large language models. In 3.91 and earlier, GPT Academic does not properly account for soft links. An attacker can create a malicious file as a soft link pointing to a target file, then package this soft link file into a tar.gz file and upload it. Subsequently, when accessing the decompressed file from the server, the soft link will point to the target file on the victim server. The vulnerability allows attackers to read all files on the server.

Affected products

Binary Husky/Gpt Academicv5
Range: <= 3.91

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/binary-husky/gpt_academic/commit/5dffe8627f681d7006cebcba27def038bb691949mitrex_refsource_MISC
github.com/binary-husky/gpt_academic/security/advisories/GHSA-gqp5-wm97-qxcvmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000