AI Threat Alert

CVE-2024-31224: gpt_academic: deserialization RCE, no auth required

CRITICAL PoC AVAILABLE CISA: TRACK*
Published April 8, 2024
CISO Take

GPT Academic versions 3.64–3.73 contain a critical insecure deserialization flaw (CWE-502) that lets any unauthenticated remote attacker execute arbitrary code on the host — no credentials, no user interaction, just a crafted network request. The CVSS 9.8 score reflects the worst possible attack profile (AV:N/AC:L/PR:N/UI:N/C:H/I:H/A:H), and while no public exploit or CISA KEV listing exists yet, deserialization RCE is a well-documented, low-skill exploitation class with tooling widely available. GPT Academic is commonly deployed by researchers and developers without enterprise hardening, making internet-exposed instances highly probable and directly at risk. Patch to version 3.74 immediately; if patching is delayed, restrict the service to trusted IPs via firewall and rotate all LLM API keys stored on the host.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

Critical risk. The combination of network-accessible, zero-authentication, zero-interaction RCE against an LLM frontend framework represents full host compromise on first exploit attempt. GPT Academic instances are typically self-hosted by individuals or small teams who may deprioritize patching, increasing dwell-time exposure. The 5 prior CVEs in this package suggest a pattern of security debt. Although no active exploitation is confirmed, the exploitation barrier is low enough that treat-as-exploited posture is warranted.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
gpt_academic pip No patch

Do you use gpt_academic? You're affected.

Severity & Risk

CVSS 3.1
9.8 / 10
EPSS
3.3%
chance of exploitation in 30 days
Higher than 87% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A High

What should I do?

6 steps

  1. Upgrade gpt_academic to version 3.74 immediately — this is the only confirmed fix (patch commit: 8af6c0cab6d96f5c4520bec85b24802e6e823f35).

  2. If patching is not immediately possible, block all public internet access to the service at the firewall/network layer — restrict to known trusted IPs only.

  3. Audit existing deployments for compromise: look for unexpected outbound connections, new cron jobs, added SSH keys, or unfamiliar processes spawned by the gpt_academic process.

  4. Rotate all LLM API keys (OpenAI, Anthropic, etc.) and other credentials that were accessible to the process.

  5. Review conversation logs for unexpected data access patterns.

  6. There are no known workarounds beyond network isolation and upgrading.

CISA SSVC Assessment

Decision Track*
Exploitation none
Automatable Yes
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Data Extraction Framework API AML.T0037 AML.T0049 AML.T0050 AML.T0055 AML.T0072

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 9 - Risk management system
ISO 42001
A.6.2.3 - AI system security
NIST AI RMF
MANAGE 2.2 - Mechanisms are in place and applied to sustain the value of deployed AI systems
OWASP LLM Top 10
LLM03:2025 - Supply Chain

Frequently Asked Questions

What is CVE-2024-31224?

GPT Academic versions 3.64–3.73 contain a critical insecure deserialization flaw (CWE-502) that lets any unauthenticated remote attacker execute arbitrary code on the host — no credentials, no user interaction, just a crafted network request. The CVSS 9.8 score reflects the worst possible attack profile (AV:N/AC:L/PR:N/UI:N/C:H/I:H/A:H), and while no public exploit or CISA KEV listing exists yet, deserialization RCE is a well-documented, low-skill exploitation class with tooling widely available. GPT Academic is commonly deployed by researchers and developers without enterprise hardening, making internet-exposed instances highly probable and directly at risk. Patch to version 3.74 immediately; if patching is delayed, restrict the service to trusted IPs via firewall and rotate all LLM API keys stored on the host.

Is CVE-2024-31224 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-31224, increasing the risk of exploitation.

How to fix CVE-2024-31224?

1. Upgrade gpt_academic to version 3.74 immediately — this is the only confirmed fix (patch commit: 8af6c0cab6d96f5c4520bec85b24802e6e823f35). 2. If patching is not immediately possible, block all public internet access to the service at the firewall/network layer — restrict to known trusted IPs only. 3. Audit existing deployments for compromise: look for unexpected outbound connections, new cron jobs, added SSH keys, or unfamiliar processes spawned by the gpt_academic process. 4. Rotate all LLM API keys (OpenAI, Anthropic, etc.) and other credentials that were accessible to the process. 5. Review conversation logs for unexpected data access patterns. 6. There are no known workarounds beyond network isolation and upgrading.

What systems are affected by CVE-2024-31224?

This vulnerability affects the following AI/ML architecture patterns: Self-hosted LLM frontends, Research and development LLM environments, LLM API proxy deployments, Multi-user LLM interface servers.

What is the CVSS score for CVE-2024-31224?

CVE-2024-31224 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 3.32%.

Technical Details

NVD Description

GPT Academic provides interactive interfaces for large language models. A vulnerability was found in gpt_academic versions 3.64 through 3.73. The server deserializes untrustworthy data from the client, which may risk remote code execution. Any device that exposes the GPT Academic service to the Internet is vulnerable. Version 3.74 contains a patch for the issue. There are no known workarounds aside from upgrading to a patched version.

Exploitation Scenario

An adversary scans for internet-exposed gpt_academic instances (trivial via Shodan/Censys or targeted HTTP fingerprinting). They craft a malicious serialized Python object payload and submit it via a standard HTTP request to the vulnerable endpoint — no authentication token or session required. The server deserializes the payload, triggering arbitrary code execution in the context of the running process. The attacker immediately exfiltrates environment variables and config files, harvesting OpenAI or other LLM API keys worth hundreds or thousands of dollars monthly. They install a persistent reverse shell for ongoing access and optionally use the compromised host as a pivot point into internal corporate networks, since researchers frequently run gpt_academic on machines with broader internal access.

Weaknesses (CWE)

CWE-502

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
April 8, 2024
Last Modified
November 4, 2025
First Seen
April 8, 2024

Related Vulnerabilities

HIGH CVE-2025-25185 7.5

gpt_academic: symlink traversal exposes all server files

Same package: gpt_academic
HIGH CVE-2024-11031 7.5

GPT Academic: SSRF in Markdown plugin leaks credentials

Same package: gpt_academic
HIGH CVE-2024-11030 7.5

GPT Academic: SSRF via unsanitized HotReload plugin

Same package: gpt_academic
UNKNOWN CVE-2024-10950

gpt_academic: RCE via unsandboxed prompt injection

Same package: gpt_academic
UNKNOWN CVE-2024-11037

gpt_academic: path traversal exposes LLM API keys

Same package: gpt_academic
Back to Threat Feed