| Title | gpt_academic latest Absolute Path Traversal |
|---|
| Description | The gpt_academic project contains a path traversal vulnerability in its merge_tex_files_ function, which is responsible for processing LaTeX files. The function fails to properly sanitize or restrict file paths specified within the \input{} directive. An attacker can craft a malicious .tex file with directory traversal sequences (e.g., ../) to read arbitrary files from the server or local filesystem where the application is running.
|
|---|
| Source | ⚠️ https://github.com/d3do-23/cvelist/blob/main/gpt_academic/Plugins_LFI.md |
|---|
| User | d3do (UID 79609) |
|---|
| Submission | 08/25/2025 04:31 (10 months ago) |
|---|
| Moderation | 09/10/2025 16:17 (16 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 323505 [binary-husky gpt_academic up to 3.91 LaTeX File latex_toolbox.py merge_tex_files_ \input{} path traversal] |
|---|
| Points | 20 |
|---|