Home

Description

EN DE

A vulnerability has been found in binary-husky gpt_academic up to 3.91. Impacted is the function merge_tex_files_ of the file crazy_functions/latex_fns/latex_toolbox.py of the component LaTeX File Handler. Such manipulation of the argument \input{} leads to path traversal. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Es wurde eine Schwachstelle in binary-husky gpt_academic bis 3.91 entdeckt. Betroffen hiervon ist die Funktion merge_tex_files_ der Datei crazy_functions/latex_fns/latex_toolbox.py der Komponente LaTeX File Handler. Durch das Manipulieren des Arguments \input{} mit unbekannten Daten kann eine path traversal-Schwachstelle ausgenutzt werden. Der Angriff kann remote ausgeführt werden. Der Exploit steht zur öffentlichen Verfügung.

PUBLISHED Reserved 2025-09-10 | Published 2025-09-11 | Updated 2025-09-11 | Assigner VulDB




MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
MEDIUM: 4.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R
MEDIUM: 4.3CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R
4.0AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR

Problem types

Path Traversal

Product status

3.0
affected

3.1
affected

3.2
affected

3.3
affected

3.4
affected

3.5
affected

3.6
affected

3.7
affected

3.8
affected

3.9
affected

3.10
affected

3.11
affected

3.12
affected

3.13
affected

3.14
affected

3.15
affected

3.16
affected

3.17
affected

3.18
affected

3.19
affected

3.20
affected

3.21
affected

3.22
affected

3.23
affected

3.24
affected

3.25
affected

3.26
affected

3.27
affected

3.28
affected

3.29
affected

3.30
affected

3.31
affected

3.32
affected

3.33
affected

3.34
affected

3.35
affected

3.36
affected

3.37
affected

3.38
affected

3.39
affected

3.40
affected

3.41
affected

3.42
affected

3.43
affected

3.44
affected

3.45
affected

3.46
affected

3.47
affected

3.48
affected

3.49
affected

3.50
affected

3.51
affected

3.52
affected

3.53
affected

3.54
affected

3.55
affected

3.56
affected

3.57
affected

3.58
affected

3.59
affected

3.60
affected

3.61
affected

3.62
affected

3.63
affected

3.64
affected

3.65
affected

3.66
affected

3.67
affected

3.68
affected

3.69
affected

3.70
affected

3.71
affected

3.72
affected

3.73
affected

3.74
affected

3.75
affected

3.76
affected

3.77
affected

3.78
affected

3.79
affected

3.80
affected

3.81
affected

3.82
affected

3.83
affected

3.84
affected

3.85
affected

3.86
affected

3.87
affected

3.88
affected

3.89
affected

3.90
affected

3.91
affected

Timeline

2025-09-10:Advisory disclosed
2025-09-10:VulDB entry created
2025-09-10:VulDB entry last update

Credits

d3do (VulDB User) reporter

References

vuldb.com/?id.323505 (VDB-323505 | binary-husky gpt_academic LaTeX File latex_toolbox.py merge_tex_files_ path traversal) vdb-entry technical-description

vuldb.com/?ctiid.323505 (VDB-323505 | CTI Indicators (IOB, IOC, TTP, IOA)) signature permissions-required

vuldb.com/?submit.640977 (Submit #640977 | gpt_academic latest Absolute Path Traversal) third-party-advisory

github.com/.../cvelist/blob/main/gpt_academic/Plugins_LFI.md exploit

cve.org (CVE-2025-10236)

nvd.nist.gov (CVE-2025-10236)

Download JSON