CVE-2024-10950: gpt_academic: RCE via unsandboxed prompt injection
UNKNOWN PoC AVAILABLE CISA: ATTENDgpt_academic's CodeInterpreter plugin (versions ≤ 3.83) executes LLM-generated code directly on the backend server without any sandboxing, allowing a user to craft a prompt that causes the model to emit and run arbitrary code — resulting in full server compromise. A public PoC is available on huntr.com, reducing the exploit barrier to nearly zero; any user-facing deployment of this tool is effectively an open RCE endpoint. While CVSS scoring is pending and the CVE is not yet in CISA KEV, the combination of public PoC, unsandboxed execution, and server-level impact places this in the immediate-action category for any team running gpt_academic. Remediate by upgrading beyond 3.83 or disabling the CodeInterpreter plugin entirely; if neither is possible, isolate the deployment behind strict network controls and consider containerized sandboxing as a compensating control.
What is the risk?
High operational risk for any organization running gpt_academic ≤ 3.83 with CodeInterpreter enabled. The exploit chain is trivial — craft a prompt, observe RCE — and a public PoC lowers the attacker skill floor to near-zero. The absence of a sandbox means successful exploitation yields process-level access on the backend host, with realistic paths to credential theft, lateral movement, and full infrastructure compromise. The package has 5 other CVEs in the same codebase, suggesting a pattern of insufficient input handling. Blast radius is bounded to self-hosted deployments (gpt_academic is not a managed cloud service), but academic, research, and enterprise AI productivity environments are common deployment contexts.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| GPT Academic | pip | — | No patch |
Do you use GPT Academic? You're affected.
How severe is it?
What should I do?
6 steps-
Patch: Upgrade gpt_academic to a version > 3.83 immediately. Check the GitHub release page for a patched release.
-
Disable plugin: If upgrade is blocked, disable or remove the CodeInterpreter plugin from the configuration.
-
Isolate: Run gpt_academic in a sandboxed container (e.g., gVisor, Firecracker) with no outbound network access except required API endpoints.
-
Restrict access: Place the application behind authenticated access controls; do not expose to the public internet.
-
Rotate secrets: Audit environment variables and secrets accessible to the process; rotate any credentials that may have been exposed.
-
Detect: Review server logs for unexpected process spawning, outbound connections, or file writes from the gpt_academic process. Check for shells spawned as children of the Python process.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2024-10950?
gpt_academic's CodeInterpreter plugin (versions ≤ 3.83) executes LLM-generated code directly on the backend server without any sandboxing, allowing a user to craft a prompt that causes the model to emit and run arbitrary code — resulting in full server compromise. A public PoC is available on huntr.com, reducing the exploit barrier to nearly zero; any user-facing deployment of this tool is effectively an open RCE endpoint. While CVSS scoring is pending and the CVE is not yet in CISA KEV, the combination of public PoC, unsandboxed execution, and server-level impact places this in the immediate-action category for any team running gpt_academic. Remediate by upgrading beyond 3.83 or disabling the CodeInterpreter plugin entirely; if neither is possible, isolate the deployment behind strict network controls and consider containerized sandboxing as a compensating control.
Is CVE-2024-10950 actively exploited?
Proof-of-concept exploit code is publicly available for CVE-2024-10950, increasing the risk of exploitation.
How to fix CVE-2024-10950?
1. Patch: Upgrade gpt_academic to a version > 3.83 immediately. Check the GitHub release page for a patched release. 2. Disable plugin: If upgrade is blocked, disable or remove the CodeInterpreter plugin from the configuration. 3. Isolate: Run gpt_academic in a sandboxed container (e.g., gVisor, Firecracker) with no outbound network access except required API endpoints. 4. Restrict access: Place the application behind authenticated access controls; do not expose to the public internet. 5. Rotate secrets: Audit environment variables and secrets accessible to the process; rotate any credentials that may have been exposed. 6. Detect: Review server logs for unexpected process spawning, outbound connections, or file writes from the gpt_academic process. Check for shells spawned as children of the Python process.
What systems are affected by CVE-2024-10950?
This vulnerability affects the following AI/ML architecture patterns: LLM-assisted code execution environments, agent frameworks, academic and research AI tool deployments, self-hosted LLM productivity platforms.
What is the CVSS score for CVE-2024-10950?
No CVSS score has been assigned yet.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0049 Exploit Public-Facing Application AML.T0050 Command and Scripting Interpreter AML.T0051 LLM Prompt Injection AML.T0051.000 Direct AML.T0053 AI Agent Tool Invocation AML.T0102 Generate Malicious Commands Compliance Controls Affected
What are the technical details?
Original Advisory
In binary-husky/gpt_academic version <= 3.83, the plugin `CodeInterpreter` is vulnerable to code injection caused by prompt injection. The root cause is the execution of user-provided prompts that generate untrusted code without a sandbox, allowing the execution of parts of the LLM-generated code. This vulnerability can be exploited by an attacker to achieve remote code execution (RCE) on the application backend server, potentially gaining full control of the server.
Exploitation Scenario
An attacker with access to the gpt_academic web interface submits a prompt to the CodeInterpreter plugin instructing the LLM to generate a Python reverse shell payload — e.g., 'write and run a Python script that connects back to attacker.com:4444'. The LLM faithfully generates the code, and the plugin executes it on the backend server without validation or sandboxing. The attacker receives a shell with the privileges of the application process, then enumerates environment variables to harvest API keys and database credentials, reads model configuration files, and pivots to adjacent internal services. The entire attack requires no prior authentication if the instance is publicly accessible and no technical AI/ML expertise beyond crafting a natural-language code-generation prompt.
Weaknesses (CWE)
CWE-94 — Improper Control of Generation of Code ('Code Injection'): The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
- [Architecture and Design] Refactor your program so that you do not have to dynamically generate code.
- [Architecture and Design] Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.
Source: MITRE CWE corpus.
References
- huntr.com/bounties/9abb1617-0c1d-42c7-a647-d9d2b39c6866 Exploit 3rd Party
Timeline
Related Vulnerabilities
CVE-2024-31224 9.8 gpt_academic: deserialization RCE, no auth required
Same package: gpt_academic CVE-2024-11031 7.5 GPT Academic: SSRF in Markdown plugin leaks credentials
Same package: gpt_academic CVE-2025-25185 7.5 gpt_academic: symlink traversal exposes all server files
Same package: gpt_academic CVE-2024-11030 7.5 GPT Academic: SSRF via unsanitized HotReload plugin
Same package: gpt_academic CVE-2024-11037 gpt_academic: path traversal exposes LLM API keys
Same package: gpt_academic