CVE-2024-11033 – A Denial of Service vulnerability in binary-hus... (How to Fix)

Q: What is the severity of CVE-2024-11033?

CVE-2024-11033 has a CVSS score of 6.5 (MEDIUM). A Denial of Service vulnerability in binary-husky/gpt_academic version 3.83 allows attackers to crash the server by uploading files with excessively long filenames. This affects all users running the vulnerable version of this academic GPT tool. The server becomes unavailable to legitimate users during the attack.

📋 TL;DR

A Denial of Service vulnerability in binary-husky/gpt_academic version 3.83 allows attackers to crash the server by uploading files with excessively long filenames. This affects all users running the vulnerable version of this academic GPT tool. The server becomes unavailable to legitimate users during the attack.

💻 Affected Systems

Products:

binary-husky/gpt_academic

Versions: Version 3.83

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with file upload functionality enabled and accessible.

📦 What is this software?

Gpt Academic by Binary Husky

View all CVEs affecting Gpt Academic →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability for all users until server restart, potentially causing data loss or corruption of ongoing academic work.

🟠

Likely Case

Temporary service disruption affecting multiple users, requiring manual intervention to restart the service.

🟢

If Mitigated

Minimal impact with proper input validation and rate limiting in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit requires only HTTP POST request with crafted filename, making it trivial to execute.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after 3.83

Vendor Advisory: https://huntr.com/bounties/78afc15c-7db7-42fe-90f5-a0480a2ec222

Restart Required: Yes

Instructions:

1. Update to latest version of gpt_academic. 2. Restart the application service. 3. Verify the fix by testing file upload functionality.

🔧 Temporary Workarounds

Filename Length Restriction

all

Implement server-side validation to limit filename length before processing.

# In your file upload handler, add: if len(filename) > 255: return error

Rate Limiting

all

Implement rate limiting on file upload endpoints to prevent rapid exploitation.

# Use web server rate limiting: nginx: limit_req_zone, apache: mod_ratelimit

🧯 If You Can't Patch

Disable file upload functionality entirely if not required
Implement WAF rules to block requests with excessively long filenames

🔍 How to Verify

Check if Vulnerable:

Test file upload with filename exceeding 1000 characters - if service crashes or becomes unresponsive, vulnerable.

Check Version:

Check package version or application configuration for gpt_academic version

Verify Fix Applied:

Attempt same test with long filename - should receive proper error response without service disruption.

📡 Detection & Monitoring

Log Indicators:

HTTP 413 errors
Application crash logs
Unusually long filenames in access logs

Network Indicators:

Multiple POST requests to upload endpoint with large Content-Length headers
Abnormal request patterns to file upload URLs

SIEM Query:

source="web_logs" AND (uri_path="/upload" OR uri_path="*file*upload*") AND (filename_length>500 OR content_length>1000000)

📊 Metadata

CVE ID: CVE-2024-11033

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

EPSS Score: 0.07% exploit probability (22.2th percentile)

Published: March 20, 2025

Last Updated: July 14, 2025

🔗 References

https://huntr.com/bounties/78afc15c-7db7-42fe-90f5-a0480a2ec222 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-11033, you might also want to check these: