CVE-2024-11030 — HIGH (CVSS 7.5) AI Security Vulnerability

CISO Take

An unauthenticated remote attacker can force GPT Academic's Gradio server to make arbitrary outbound HTTP requests, including to cloud metadata endpoints (AWS IMDS, GCP metadata) to harvest IAM credentials. No authentication or user interaction required — any internet-exposed instance is trivially exploitable. Immediately restrict network access to GPT Academic deployments or disable the HotReload plugin until a patch is applied.

Risk Assessment

High operational risk for organizations running GPT Academic in cloud or enterprise environments. The zero-auth, network-accessible attack vector means exploitation requires no foothold. The real danger is SSRF-to-cloud-credential escalation: an attacker reaching 169.254.169.254 gains IAM tokens that can pivot to broader AWS/GCP/Azure infrastructure. Confidentiality impact is high; integrity and availability are unaffected directly, but credential theft creates secondary cascading risk.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
gpt_academic	pip	—	No patch

Do you use gpt_academic? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.3%

chance of exploitation in 30 days

Higher than 54% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I None

A None

Recommended Action

6 steps

Patch: Upgrade GPT Academic to a version released after 2025-03-20 that addresses this SSRF. No confirmed patched version listed — monitor the official repository.
Network controls: Block outbound HTTP/S from the GPT Academic process to RFC-1918 ranges and cloud metadata IPs (169.254.169.254, 100.100.100.200 for Alibaba).
Disable HotReload: If the plugin is not required, disable or remove the HotReload plugin functionality.
Restrict exposure: Ensure the Gradio interface is not publicly accessible — require VPN or SSH tunneling for access.
Detect: Alert on outbound requests from the AI service host to metadata endpoints or unexpected internal CIDR ranges.
Cloud hardening: Enable IMDSv2 (AWS) to require token-based metadata access, reducing SSRF impact.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Auth Bypass Framework Plugin AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials AML.T0106 - Exploitation for Credential Access

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.10.3 - Information security in AI system lifecycle

NIST AI RMF

MS-2.5 - Practices are in place to monitor and manage AI system vulnerabilities

OWASP LLM Top 10

LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2024-11030?

An unauthenticated remote attacker can force GPT Academic's Gradio server to make arbitrary outbound HTTP requests, including to cloud metadata endpoints (AWS IMDS, GCP metadata) to harvest IAM credentials. No authentication or user interaction required — any internet-exposed instance is trivially exploitable. Immediately restrict network access to GPT Academic deployments or disable the HotReload plugin until a patch is applied.

Is CVE-2024-11030 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-11030, increasing the risk of exploitation.

How to fix CVE-2024-11030?

1. Patch: Upgrade GPT Academic to a version released after 2025-03-20 that addresses this SSRF. No confirmed patched version listed — monitor the official repository. 2. Network controls: Block outbound HTTP/S from the GPT Academic process to RFC-1918 ranges and cloud metadata IPs (169.254.169.254, 100.100.100.200 for Alibaba). 3. Disable HotReload: If the plugin is not required, disable or remove the HotReload plugin functionality. 4. Restrict exposure: Ensure the Gradio interface is not publicly accessible — require VPN or SSH tunneling for access. 5. Detect: Alert on outbound requests from the AI service host to metadata endpoints or unexpected internal CIDR ranges. 6. Cloud hardening: Enable IMDSv2 (AWS) to require token-based metadata access, reducing SSRF impact.

What systems are affected by CVE-2024-11030?

This vulnerability affects the following AI/ML architecture patterns: ML research environments, Gradio-based AI applications, cloud-hosted AI workspaces, plugin-enabled LLM interfaces.

What is the CVSS score for CVE-2024-11030?

CVE-2024-11030 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.30%.

Technical Details

NVD Description

GPT Academic version 3.83 is vulnerable to a Server-Side Request Forgery (SSRF) vulnerability through its HotReload plugin function, which calls the crazy_utils.get_files_from_everything() API without proper sanitization. This allows attackers to exploit the vulnerability to abuse the victim GPT Academic's Gradio Web server's credentials to access unauthorized web resources.

Exploitation Scenario

Attacker discovers an internet-facing GPT Academic instance via Shodan or direct IP scanning (Gradio has a distinctive UI fingerprint). They craft a request to the HotReload plugin endpoint passing a URL targeting http://169.254.169.254/latest/meta-data/iam/security-credentials/ — no authentication required. The server fetches the URL using its own network context and returns AWS IAM role credentials in the response. Attacker uses those credentials to enumerate S3 buckets, read training data, or escalate privileges within the cloud account. Full attack chain from reconnaissance to credential exfiltration takes under 5 minutes.