CVE-2024-10950 Information

Description

In binary-husky/gpt_academic version <= 3.83 the plugin CodeInterpreter is vulnerable to code injection caused by prompt injection. The root cause is the execution of user-provided prompts that generate untrusted code without a sandbox allowing the execution of parts of the LLM-generated code. This vulnerability can be exploited by an attacker to achieve remote code execution (RCE) on the application backend server potentially gaining full control of the server.

Reference

https://huntr.com/bounties/9abb1617-0c1d-42c7-a647-d9d2b39c6866