| Titel | gpt_academic latest Absolute Path Traversal |
|---|
| Beschreibung | The gpt_academic project contains a path traversal vulnerability in its merge_tex_files_ function, which is responsible for processing LaTeX files. The function fails to properly sanitize or restrict file paths specified within the \input{} directive. An attacker can craft a malicious .tex file with directory traversal sequences (e.g., ../) to read arbitrary files from the server or local filesystem where the application is running.
|
|---|
| Quelle | ⚠️ https://github.com/d3do-23/cvelist/blob/main/gpt_academic/Plugins_LFI.md |
|---|
| Benutzer | d3do (UID 79609) |
|---|
| Einreichung | 25.08.2025 04:31 (vor 10 Monaten) |
|---|
| Moderieren | 10.09.2025 16:17 (16 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 323505 [binary-husky gpt_academic bis 3.91 LaTeX File latex_toolbox.py merge_tex_files_ \input{} Directory Traversal] |
|---|
| Punkte | 20 |
|---|