CVE-2024-10819 – A CSRF vulnerability in binary-husky/gpt

Q: What is the severity of CVE-2024-10819?

CVE-2024-10819 has a CVSS score of 8.8 (HIGH). A CSRF vulnerability in binary-husky/gpt_academic version 3.83 allows attackers to trick authenticated users into uploading malicious files without their consent. This can lead to stored XSS attacks where attackers can steal user information and perform actions on their behalf. Anyone using the vulnerable version of this software is affected.

📋 TL;DR

A CSRF vulnerability in binary-husky/gpt_academic version 3.83 allows attackers to trick authenticated users into uploading malicious files without their consent. This can lead to stored XSS attacks where attackers can steal user information and perform actions on their behalf. Anyone using the vulnerable version of this software is affected.

💻 Affected Systems

Products:

binary-husky/gpt_academic

Versions: Version 3.83

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations with file upload functionality enabled and user authentication.

📦 What is this software?

Gpt Academic by Binary Husky

View all CVEs affecting Gpt Academic →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover, data theft, and potential system compromise through malicious file uploads leading to stored XSS that executes arbitrary actions as the victim.

🟠

Likely Case

Unauthorized file uploads leading to stored XSS attacks that steal session cookies and user data, potentially compromising user accounts.

🟢

If Mitigated

Limited impact with proper CSRF protections and file upload restrictions in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires user interaction (visiting malicious page while authenticated) and file upload functionality to be accessible.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after 3.83

Vendor Advisory: https://huntr.com/bounties/45270c4b-a500-4374-a90b-37b604a3ace0

Restart Required: No

Instructions:

1. Update to the latest version of binary-husky/gpt_academic. 2. Verify CSRF tokens are properly implemented on all file upload endpoints. 3. Test file upload functionality after update.

🔧 Temporary Workarounds

Implement CSRF Protection

all

Add CSRF tokens to all file upload forms and validate them server-side.

Restrict File Uploads

all

Disable file upload functionality or restrict to trusted users only.

🧯 If You Can't Patch

Implement strict Content Security Policy (CSP) headers to mitigate XSS impact.
Use SameSite cookies and require re-authentication for sensitive actions.

🔍 How to Verify

Check if Vulnerable:

Check if running version 3.83 of binary-husky/gpt_academic and if file upload endpoints lack CSRF protection.

Check Version:

Check package.json or version file in the gpt_academic installation directory.

Verify Fix Applied:

Verify version is updated beyond 3.83 and test file upload endpoints for CSRF token validation.

📡 Detection & Monitoring

Log Indicators:

Unexpected file uploads from users
Multiple failed upload attempts
Uploads containing script tags or malicious content

Network Indicators:

POST requests to upload endpoints without proper referrer headers or CSRF tokens
File uploads from unexpected sources

SIEM Query:

source="web_logs" AND (uri_path="/upload" OR uri_path="/file_upload") AND (NOT csrf_token=*)

📊 Metadata

CVE ID: CVE-2024-10819

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-352

EPSS Score: 0.08% exploit probability (23.1th percentile)

Published: March 20, 2025

Last Updated: July 14, 2025

🔗 References

https://huntr.com/bounties/45270c4b-a500-4374-a90b-37b604a3ace0 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-10819, you might also want to check these: