AI Threat Alert

CVE-2024-11030: GPT Academic: SSRF via unsanitized HotReload plugin

HIGH PoC AVAILABLE CISA: TRACK*
Published March 20, 2025
CISO Take

An unauthenticated remote attacker can force GPT Academic's Gradio server to make arbitrary outbound HTTP requests, including to cloud metadata endpoints (AWS IMDS, GCP metadata) to harvest IAM credentials. No authentication or user interaction required — any internet-exposed instance is trivially exploitable. Immediately restrict network access to GPT Academic deployments or disable the HotReload plugin until a patch is applied.

What is the risk?

High operational risk for organizations running GPT Academic in cloud or enterprise environments. The zero-auth, network-accessible attack vector means exploitation requires no foothold. The real danger is SSRF-to-cloud-credential escalation: an attacker reaching 169.254.169.254 gains IAM tokens that can pivot to broader AWS/GCP/Azure infrastructure. Confidentiality impact is high; integrity and availability are unaffected directly, but credential theft creates secondary cascading risk.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
GPT Academic pip No patch

Do you use GPT Academic? You're affected.

How severe is it?

CVSS 3.1
7.5 / 10
EPSS
0.6%
chance of exploitation in 30 days
Higher than 45% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I None
A None

What should I do?

6 steps

  1. Patch: Upgrade GPT Academic to a version released after 2025-03-20 that addresses this SSRF. No confirmed patched version listed — monitor the official repository.

  2. Network controls: Block outbound HTTP/S from the GPT Academic process to RFC-1918 ranges and cloud metadata IPs (169.254.169.254, 100.100.100.200 for Alibaba).

  3. Disable HotReload: If the plugin is not required, disable or remove the HotReload plugin functionality.

  4. Restrict exposure: Ensure the Gradio interface is not publicly accessible — require VPN or SSH tunneling for access.

  5. Detect: Alert on outbound requests from the AI service host to metadata endpoints or unexpected internal CIDR ranges.

  6. Cloud hardening: Enable IMDSv2 (AWS) to require token-based metadata access, reducing SSRF impact.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Auth Bypass Framework Plugin AML.T0037 AML.T0049 AML.T0055 AML.T0106

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.10.3 - Information security in AI system lifecycle
NIST AI RMF
MS-2.5 - Practices are in place to monitor and manage AI system vulnerabilities
OWASP LLM Top 10
LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2024-11030?

An unauthenticated remote attacker can force GPT Academic's Gradio server to make arbitrary outbound HTTP requests, including to cloud metadata endpoints (AWS IMDS, GCP metadata) to harvest IAM credentials. No authentication or user interaction required — any internet-exposed instance is trivially exploitable. Immediately restrict network access to GPT Academic deployments or disable the HotReload plugin until a patch is applied.

Is CVE-2024-11030 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-11030, increasing the risk of exploitation.

How to fix CVE-2024-11030?

1. Patch: Upgrade GPT Academic to a version released after 2025-03-20 that addresses this SSRF. No confirmed patched version listed — monitor the official repository. 2. Network controls: Block outbound HTTP/S from the GPT Academic process to RFC-1918 ranges and cloud metadata IPs (169.254.169.254, 100.100.100.200 for Alibaba). 3. Disable HotReload: If the plugin is not required, disable or remove the HotReload plugin functionality. 4. Restrict exposure: Ensure the Gradio interface is not publicly accessible — require VPN or SSH tunneling for access. 5. Detect: Alert on outbound requests from the AI service host to metadata endpoints or unexpected internal CIDR ranges. 6. Cloud hardening: Enable IMDSv2 (AWS) to require token-based metadata access, reducing SSRF impact.

What systems are affected by CVE-2024-11030?

This vulnerability affects the following AI/ML architecture patterns: ML research environments, Gradio-based AI applications, cloud-hosted AI workspaces, plugin-enabled LLM interfaces.

What is the CVSS score for CVE-2024-11030?

CVE-2024-11030 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.62%.

What is the AI security impact?

Affected AI Architectures

ML research environmentsGradio-based AI applicationscloud-hosted AI workspacesplugin-enabled LLM interfaces

MITRE ATLAS Techniques

AML.T0037 Data from Local System
AML.T0049 Exploit Public-Facing Application
AML.T0055 Unsecured Credentials
AML.T0106 Exploitation for Credential Access

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.10.3
NIST AI RMF: MS-2.5
OWASP LLM Top 10: LLM07

What are the technical details?

Original Advisory

GPT Academic version 3.83 is vulnerable to a Server-Side Request Forgery (SSRF) vulnerability through its HotReload plugin function, which calls the crazy_utils.get_files_from_everything() API without proper sanitization. This allows attackers to exploit the vulnerability to abuse the victim GPT Academic's Gradio Web server's credentials to access unauthorized web resources.

Exploitation Scenario

Attacker discovers an internet-facing GPT Academic instance via Shodan or direct IP scanning (Gradio has a distinctive UI fingerprint). They craft a request to the HotReload plugin endpoint passing a URL targeting http://169.254.169.254/latest/meta-data/iam/security-credentials/ — no authentication required. The server fetches the URL using its own network context and returns AWS IAM role credentials in the response. Attacker uses those credentials to enumerate S3 buckets, read training data, or escalate privileges within the cloud account. Full attack chain from reconnaissance to credential exfiltration takes under 5 minutes.

Weaknesses (CWE)

CWE-918 Server-Side Request Forgery (SSRF)

CWE-918 — Server-Side Request Forgery (SSRF): The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

Timeline

Published
March 20, 2025
Last Modified
July 14, 2025
First Seen
March 20, 2025

Related Vulnerabilities

CRITICAL CVE-2024-31224 9.8

gpt_academic: deserialization RCE, no auth required

Same package: gpt_academic
HIGH CVE-2024-11031 7.5

GPT Academic: SSRF in Markdown plugin leaks credentials

Same package: gpt_academic
HIGH CVE-2025-25185 7.5

gpt_academic: symlink traversal exposes all server files

Same package: gpt_academic
UNKNOWN CVE-2024-11037

gpt_academic: path traversal exposes LLM API keys

Same package: gpt_academic
UNKNOWN CVE-2024-10950

gpt_academic: RCE via unsandboxed prompt injection

Same package: gpt_academic
Back to Threat Feed