CVE-2024-10101 in gpt_academic
Summary
by MITRE • 10/17/2024
A stored cross-site scripting (XSS) vulnerability exists in binary-husky/gpt_academic version 3.83. The vulnerability occurs at the /file endpoint, which renders HTML files. Malicious HTML files containing XSS payloads can be uploaded and stored in the backend, leading to the execution of the payload in the victim's browser when the file is accessed. This can result in the theft of session cookies or other sensitive information.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/12/2025
The vulnerability identified as CVE-2024-10101 represents a critical stored cross-site scripting flaw within the binary-husky/gpt_academic application version 3.83. This security weakness resides at the /file endpoint where the system processes and renders HTML files uploaded by users. The flaw allows attackers to exploit the application's file handling mechanisms by uploading malicious HTML content that contains embedded XSS payloads. Once stored within the application's backend storage system, these malicious files remain persistent and can be retrieved by any user who accesses them through the vulnerable endpoint. The stored nature of this vulnerability means that the malicious code does not require user interaction beyond visiting the affected page, making it particularly dangerous as it can silently execute in the victim's browser context without their knowledge or consent. The vulnerability directly impacts the application's integrity and user security by creating a persistent attack surface that can be leveraged for session hijacking and data exfiltration.
The technical implementation of this vulnerability stems from inadequate input validation and output encoding within the application's file rendering pipeline. When HTML files are uploaded and subsequently served through the /file endpoint, the system fails to properly sanitize or escape potentially dangerous content that could be embedded within the HTML markup. This oversight allows attackers to inject malicious scripts that execute within the context of other users' browsers when they access the stored files. The vulnerability aligns with CWE-79, which specifically addresses cross-site scripting flaws in web applications, and demonstrates how improper handling of user-supplied data can lead to severe security consequences. The flaw essentially bypasses the application's security controls by treating user-uploaded content as trusted, thereby creating an execution environment where malicious payloads can operate with the privileges of the victim user.
The operational impact of this vulnerability extends beyond simple data theft to encompass comprehensive session manipulation and potential privilege escalation within the application's user context. When victims access maliciously uploaded HTML files, their browsers execute the embedded scripts which can steal session cookies, capture keystrokes, redirect traffic to malicious domains, or even establish persistent backdoors within the victim's browsing environment. The stored nature of the vulnerability means that the attack can be executed repeatedly against multiple users without requiring additional exploitation efforts, making it a particularly effective vector for mass compromise. This vulnerability also aligns with ATT&CK technique T1566, which covers social engineering through malicious file delivery, and T1071.001, which covers application layer protocol usage for command and control communications. The potential for credential theft and session hijacking creates significant risk for organizations relying on the application for sensitive operations.
Mitigation strategies for CVE-2024-10101 should focus on implementing robust input validation and output encoding mechanisms at the application level. The most effective immediate solution involves sanitizing all user-uploaded content before storage and rendering, particularly for HTML files that may contain executable elements. Implementing Content Security Policy headers can provide additional defense-in-depth by restricting script execution within the application's context. Organizations should also consider implementing file type restrictions and content validation to prevent the storage of potentially dangerous markup. Regular security audits and penetration testing should be conducted to identify similar vulnerabilities in other application components. The fix should include proper HTML escaping of all user-supplied content, implementation of a whitelist-based file type validation system, and enforcement of strict access controls for file upload and retrieval operations. Additionally, monitoring and logging mechanisms should be enhanced to detect suspicious file upload activities and unauthorized access attempts to stored files, providing early warning capabilities for potential exploitation attempts.