CVE-2024-11031 — HIGH (CVSS 7.5) AI Security Vulnerability

CISO Take

GPT Academic v3.83 exposes an unauthenticated SSRF through its Markdown translation plugin that allows any network attacker to weaponize the server's HTTP client against internal resources and cloud metadata endpoints. With zero auth required and trivial exploitation, instances exposed to the internet are at immediate risk of credential theft and internal network reconnaissance. Update beyond v3.83 immediately or disable the HotReload/Markdown translation plugin until patched.

Risk Assessment

High risk (CVSS 7.5) with no authentication requirement, low attack complexity, and network accessibility makes this trivially exploitable. SSRF in cloud-deployed environments is particularly dangerous due to IMDSv1 metadata endpoint access (AWS 169.254.169.254, GCP equivalent), which can yield IAM credentials with broad permissions. Not yet in CISA KEV, but exploitation is straightforward and requires no AI/ML knowledge—any attacker with HTTP access can exploit this.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
gpt_academic	pip	—	No patch

Do you use gpt_academic? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 46% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I None

A None

Recommended Action

6 steps

Patch: Update gpt_academic beyond v3.83 immediately.
Workaround: Disable the HotReload/Markdown translation plugin if update is not immediately possible.
Network egress: Block outbound requests to cloud metadata endpoints (169.254.169.254, 100.64.169.254, fd00:ec2::254) via firewall rules.
URL allowlisting: Implement strict allowlisting for any plugin functionality that fetches external URLs.
Detection: Monitor server-side outbound HTTP request logs for requests to private IP ranges, metadata endpoints, or unexpected external domains.
Audit: Review all other GPT Academic plugins for similar SSRF patterns in URL handling logic.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Auth Bypass Framework Plugin AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials AML.T0106 - Exploitation for Credential Access

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.9.3 - Information security for AI systems

NIST AI RMF

MANAGE-2.2 - Mechanisms for treatment of AI risks

OWASP LLM Top 10

LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2024-11031?

GPT Academic v3.83 exposes an unauthenticated SSRF through its Markdown translation plugin that allows any network attacker to weaponize the server's HTTP client against internal resources and cloud metadata endpoints. With zero auth required and trivial exploitation, instances exposed to the internet are at immediate risk of credential theft and internal network reconnaissance. Update beyond v3.83 immediately or disable the HotReload/Markdown translation plugin until patched.

Is CVE-2024-11031 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-11031, increasing the risk of exploitation.

How to fix CVE-2024-11031?

1. Patch: Update gpt_academic beyond v3.83 immediately. 2. Workaround: Disable the HotReload/Markdown translation plugin if update is not immediately possible. 3. Network egress: Block outbound requests to cloud metadata endpoints (169.254.169.254, 100.64.169.254, fd00:ec2::254) via firewall rules. 4. URL allowlisting: Implement strict allowlisting for any plugin functionality that fetches external URLs. 5. Detection: Monitor server-side outbound HTTP request logs for requests to private IP ranges, metadata endpoints, or unexpected external domains. 6. Audit: Review all other GPT Academic plugins for similar SSRF patterns in URL handling logic.

What systems are affected by CVE-2024-11031?

This vulnerability affects the following AI/ML architecture patterns: AI web UIs, Gradio-based deployments, academic AI tools, document processing pipelines.

What is the CVSS score for CVE-2024-11031?

CVE-2024-11031 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.23%.

Technical Details

NVD Description

In version 3.83 of binary-husky/gpt_academic, a Server-Side Request Forgery (SSRF) vulnerability exists in the Markdown_Translate.get_files_from_everything() API. This vulnerability is exploited through the HotReload(Markdown翻译中) plugin function, which allows downloading arbitrary web hosts by only checking if the link starts with 'http'. Attackers can exploit this vulnerability to abuse the victim GPT Academic's Gradio Web server's credentials to access unauthorized web resources.

Exploitation Scenario

An unauthenticated attacker submits a crafted Markdown document to the GPT Academic translation API containing a link targeting an attacker-controlled server or cloud metadata endpoint (e.g., http://169.254.169.254/latest/meta-data/iam/security-credentials/). The HotReload plugin's get_files_from_everything() function passes the URL through only a starts-with-'http' check, causing the Gradio server to fetch the URL using its own network context and credentials. On AWS, this yields temporary IAM credentials; on any deployment it allows internal network scanning. The attacker receives the server's request at their controlled endpoint, capturing auth headers, and can chain this to lateral movement within the cloud environment.