AVID-2026-R1462

Description

GPT Academic: Pickle deserializing cookies may pose RCE risk (CVE-2024-31224)

Details

GPT Academic provides interactive interfaces for large language models. A vulnerability was found in gpt_academic versions 3.64 through 3.73. The server deserializes untrustworthy data from the client, which may risk remote code execution. Any device that exposes the GPT Academic service to the Internet is vulnerable. Version 3.74 contains a patch for the issue. There are no known workarounds aside from upgrading to a patched version.

Reason for inclusion in AVID: CVE-2024-31224 describes a remote code execution via pickle deserialization in GPT Academic server (versions 3.64–3.73). The vulnerability exists in software that provides AI model interaction interfaces, i.e., a component used to deploy AI systems. It is a security flaw within a software component that sits in the AI deployment/serving stack, making it a software supply-chain risk for general-purpose AI systems. A patched version (3.74) is available, with references to NVD/GHSA and vendor commits, providing clear remediation signals.

References

• NVD entry
• https://github.com/binary-husky/gpt_academic/security/advisories/GHSA-jcjc-89wr-vv7g
• https://github.com/binary-husky/gpt_academic/pull/1648
• https://github.com/binary-husky/gpt_academic/commit/8af6c0cab6d96f5c4520bec85b24802e6e823f35

Affected or Relevant Artifacts

• Developer: OpenAI
• Deployer: OpenAI
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2024-04-08
• Version: 0.3.3
• AVID Entry