CVE-2024-10986

Name of the Vulnerable Software and Affected Versions GPT Academic version 3.83

Description The issue concerns a Local File Read (LFI) vulnerability through the HotReload function, which can download and extract tar.gz files from arxiv.org. Despite protections against path traversal, the application is vulnerable due to its handling of symlinks, specifically the Tarslip triggered by them, allowing attackers to read arbitrary local files from the victim server.

Recommendations For GPT Academic version 3.83, as a temporary workaround, consider disabling the HotReload function until a patch is available. Restrict access to the HotReload function to minimize the risk of exploitation. Avoid using the HotReload function to download and extract tar.gz files from untrusted sources until the issue is resolved.