AI Threat Alert

CVE-2024-11031: GPT Academic: SSRF in Markdown plugin leaks credentials

HIGH PoC AVAILABLE CISA: TRACK*
Published March 20, 2025
CISO Take

GPT Academic v3.83 exposes an unauthenticated SSRF through its Markdown translation plugin that allows any network attacker to weaponize the server's HTTP client against internal resources and cloud metadata endpoints. With zero auth required and trivial exploitation, instances exposed to the internet are at immediate risk of credential theft and internal network reconnaissance. Update beyond v3.83 immediately or disable the HotReload/Markdown translation plugin until patched.

What is the risk?

High risk (CVSS 7.5) with no authentication requirement, low attack complexity, and network accessibility makes this trivially exploitable. SSRF in cloud-deployed environments is particularly dangerous due to IMDSv1 metadata endpoint access (AWS 169.254.169.254, GCP equivalent), which can yield IAM credentials with broad permissions. Not yet in CISA KEV, but exploitation is straightforward and requires no AI/ML knowledge—any attacker with HTTP access can exploit this.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
GPT Academic pip No patch

Do you use GPT Academic? You're affected.

How severe is it?

CVSS 3.1
7.5 / 10
EPSS
0.6%
chance of exploitation in 30 days
Higher than 45% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I None
A None

What should I do?

6 steps

  1. Patch: Update gpt_academic beyond v3.83 immediately.

  2. Workaround: Disable the HotReload/Markdown translation plugin if update is not immediately possible.

  3. Network egress: Block outbound requests to cloud metadata endpoints (169.254.169.254, 100.64.169.254, fd00:ec2::254) via firewall rules.

  4. URL allowlisting: Implement strict allowlisting for any plugin functionality that fetches external URLs.

  5. Detection: Monitor server-side outbound HTTP request logs for requests to private IP ranges, metadata endpoints, or unexpected external domains.

  6. Audit: Review all other GPT Academic plugins for similar SSRF patterns in URL handling logic.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Auth Bypass Framework Plugin AML.T0025 AML.T0049 AML.T0055 AML.T0106

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.9.3 - Information security for AI systems
NIST AI RMF
MANAGE-2.2 - Mechanisms for treatment of AI risks
OWASP LLM Top 10
LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2024-11031?

GPT Academic v3.83 exposes an unauthenticated SSRF through its Markdown translation plugin that allows any network attacker to weaponize the server's HTTP client against internal resources and cloud metadata endpoints. With zero auth required and trivial exploitation, instances exposed to the internet are at immediate risk of credential theft and internal network reconnaissance. Update beyond v3.83 immediately or disable the HotReload/Markdown translation plugin until patched.

Is CVE-2024-11031 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-11031, increasing the risk of exploitation.

How to fix CVE-2024-11031?

1. Patch: Update gpt_academic beyond v3.83 immediately. 2. Workaround: Disable the HotReload/Markdown translation plugin if update is not immediately possible. 3. Network egress: Block outbound requests to cloud metadata endpoints (169.254.169.254, 100.64.169.254, fd00:ec2::254) via firewall rules. 4. URL allowlisting: Implement strict allowlisting for any plugin functionality that fetches external URLs. 5. Detection: Monitor server-side outbound HTTP request logs for requests to private IP ranges, metadata endpoints, or unexpected external domains. 6. Audit: Review all other GPT Academic plugins for similar SSRF patterns in URL handling logic.

What systems are affected by CVE-2024-11031?

This vulnerability affects the following AI/ML architecture patterns: AI web UIs, Gradio-based deployments, academic AI tools, document processing pipelines.

What is the CVSS score for CVE-2024-11031?

CVE-2024-11031 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.62%.

What is the AI security impact?

Affected AI Architectures

AI web UIsGradio-based deploymentsacademic AI toolsdocument processing pipelines

MITRE ATLAS Techniques

AML.T0025 Exfiltration via Cyber Means
AML.T0049 Exploit Public-Facing Application
AML.T0055 Unsecured Credentials
AML.T0106 Exploitation for Credential Access

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.9.3
NIST AI RMF: MANAGE-2.2
OWASP LLM Top 10: LLM07

What are the technical details?

Original Advisory

In version 3.83 of binary-husky/gpt_academic, a Server-Side Request Forgery (SSRF) vulnerability exists in the Markdown_Translate.get_files_from_everything() API. This vulnerability is exploited through the HotReload(Markdown翻译中) plugin function, which allows downloading arbitrary web hosts by only checking if the link starts with 'http'. Attackers can exploit this vulnerability to abuse the victim GPT Academic's Gradio Web server's credentials to access unauthorized web resources.

Exploitation Scenario

An unauthenticated attacker submits a crafted Markdown document to the GPT Academic translation API containing a link targeting an attacker-controlled server or cloud metadata endpoint (e.g., http://169.254.169.254/latest/meta-data/iam/security-credentials/). The HotReload plugin's get_files_from_everything() function passes the URL through only a starts-with-'http' check, causing the Gradio server to fetch the URL using its own network context and credentials. On AWS, this yields temporary IAM credentials; on any deployment it allows internal network scanning. The attacker receives the server's request at their controlled endpoint, capturing auth headers, and can chain this to lateral movement within the cloud environment.

Weaknesses (CWE)

CWE-918 Server-Side Request Forgery (SSRF) CWE-918 Server-Side Request Forgery (SSRF)

CWE-918 — Server-Side Request Forgery (SSRF): The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

Timeline

Published
March 20, 2025
Last Modified
July 15, 2025
First Seen
March 20, 2025

Related Vulnerabilities

CRITICAL CVE-2024-31224 9.8

gpt_academic: deserialization RCE, no auth required

Same package: gpt_academic
HIGH CVE-2024-11030 7.5

GPT Academic: SSRF via unsanitized HotReload plugin

Same package: gpt_academic
HIGH CVE-2025-25185 7.5

gpt_academic: symlink traversal exposes all server files

Same package: gpt_academic
UNKNOWN CVE-2024-11037

gpt_academic: path traversal exposes LLM API keys

Same package: gpt_academic
UNKNOWN CVE-2024-10950

gpt_academic: RCE via unsandboxed prompt injection

Same package: gpt_academic
Back to Threat Feed