SecuriTricks - CVE-2024-12391

Description

A vulnerability in binary-husky/gpt_academic, as of commit 310122f, allows for a Regular Expression Denial of Service (ReDoS) attack. The function '解析项目源码（手动指定和筛选源码文件类型）' permits the execution of user-provided regular expressions. Certain regular expressions can cause the Python RE engine to take exponential time to execute, leading to a Denial of Service (DoS) condition. An attacker who controls both the regular expression and the search string can exploit this vulnerability to hang the server for an arbitrary amount of time.

Product(s) Impacted

Vendor	Product	Versions
Binary-husky	Gpt Academic	*

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-183

Permissive List of Allowed Inputs

The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	binary-husky	gpt_academic	/	/	/	/	/	/	/	/

References

https://huntr.com/bounties/70b3f4f0-6b1b-4563-a18c-fe46502e6ba0

CVSS Score

6.5 / 10

CVSS Data - 3.0

Attack Vector: NETWORK
Attack Complexity: LOW
Privileges Required: LOW
Scope: UNCHANGED
Confidentiality Impact: NONE
Integrity Impact: NONE
Availability Impact: HIGH

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

View Vector String

Timeline

Published: March 20, 2025, 10:15 a.m.
Last Modified: March 20, 2025, 10:15 a.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security@huntr.dev

CVE-2024-12391