CVE-2024-31224 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2024-31224?

CVE-2024-31224 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote attackers to execute arbitrary code on systems running vulnerable versions of GPT Academic by sending malicious serialized data. Any device exposing GPT Academic service to the Internet is vulnerable, particularly versions 3.64 through 3.73. The vulnerability stems from unsafe deserialization of untrusted client data.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on systems running vulnerable versions of GPT Academic by sending malicious serialized data. Any device exposing GPT Academic service to the Internet is vulnerable, particularly versions 3.64 through 3.73. The vulnerability stems from unsafe deserialization of untrusted client data.

💻 Affected Systems

Products:

GPT Academic

Versions: 3.64 through 3.73

Operating Systems: All platforms running GPT Academic

Default Config Vulnerable: ⚠️ Yes

Notes: All installations within the affected version range are vulnerable regardless of configuration.

📦 What is this software?

Gpt Academic by Binary Husky

View all CVEs affecting Gpt Academic →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with remote code execution, allowing attackers to install malware, steal data, or pivot to other systems.

🟠

Likely Case

Remote code execution leading to data theft, service disruption, or cryptocurrency mining malware installation.

🟢

If Mitigated

Limited impact if service is isolated in a container or sandbox, but still significant risk of data exposure.

🌐 Internet-Facing: HIGH - Any internet-exposed GPT Academic service is directly vulnerable to remote exploitation.

🏢 Internal Only: MEDIUM - Internal exploitation requires network access but could still lead to lateral movement within the network.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is in the core deserialization mechanism, making exploitation straightforward for attackers with knowledge of the codebase.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.74

Vendor Advisory: https://github.com/binary-husky/gpt_academic/security/advisories/GHSA-jcjc-89wr-vv7g

Restart Required: Yes

Instructions:

1. Backup your current GPT Academic installation. 2. Update to version 3.74 or later using: git pull origin master. 3. Restart the GPT Academic service. 4. Verify the update was successful.

🔧 Temporary Workarounds

No workarounds available

all

The vendor states there are no known workarounds aside from upgrading to the patched version.

🧯 If You Can't Patch

Immediately isolate the GPT Academic service from the Internet using firewall rules or network segmentation.
Monitor the service closely for suspicious activity and implement strict access controls.

🔍 How to Verify

Check if Vulnerable:

Check the version of GPT Academic installed. If it's between 3.64 and 3.73 inclusive, it's vulnerable.

Check Version:

Check the version in the GPT Academic interface or examine the source code version metadata.

Verify Fix Applied:

Verify the version is 3.74 or higher and check that the commit 8af6c0cab6d96f5c4520bec85b24802e6e823f35 is present.

📡 Detection & Monitoring

Log Indicators:

Unusual deserialization errors
Unexpected process spawns
Abnormal network connections from the GPT Academic process

Network Indicators:

Suspicious payloads sent to GPT Academic endpoints
Unexpected outbound connections from the server

SIEM Query:

process:gpt_academic AND (event_type:process_creation OR event_type:network_connection) WHERE destination_ip NOT IN [allowed_ips]

📊 Metadata

CVE ID: CVE-2024-31224

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

Published: April 8, 2024

Last Updated: November 4, 2025

🔗 References

https://github.com/binary-husky/gpt_academic/commit/8af6c0cab6d96f5c4520bec85b24802e6e823f35 Patch
https://github.com/binary-husky/gpt_academic/pull/1648 Issue Tracking
https://github.com/binary-husky/gpt_academic/security/advisories/GHSA-jcjc-89wr-vv7g Vendor Advisory
https://github.com/binary-husky/gpt_academic/commit/8af6c0cab6d96f5c4520bec85b24802e6e823f35 Patch
https://github.com/binary-husky/gpt_academic/pull/1648 Issue Tracking
https://github.com/binary-husky/gpt_academic/security/advisories/GHSA-jcjc-89wr-vv7g Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-31224, you might also want to check these: