CVE-2024-31224: gpt_academic: deserialization RCE, no auth required

CRITICAL

Published April 8, 2024

CISO Take

GPT Academic versions 3.64–3.73 contain a critical insecure deserialization flaw (CWE-502) that lets any unauthenticated remote attacker execute arbitrary code on the host — no credentials, no user interaction, just a crafted network request. The CVSS 9.8 score reflects the worst possible attack profile (AV:N/AC:L/PR:N/UI:N/C:H/I:H/A:H), and while no public exploit or CISA KEV listing exists yet, deserialization RCE is a well-documented, low-skill exploitation class with tooling widely available. GPT Academic is commonly deployed by researchers and developers without enterprise hardening, making internet-exposed instances highly probable and directly at risk. Patch to version 3.74 immediately; if patching is delayed, restrict the service to trusted IPs via firewall and rotate all LLM API keys stored on the host.

Sources: NVD GitHub Advisory ATLAS

Risk Assessment

Critical risk. The combination of network-accessible, zero-authentication, zero-interaction RCE against an LLM frontend framework represents full host compromise on first exploit attempt. GPT Academic instances are typically self-hosted by individuals or small teams who may deprioritize patching, increasing dwell-time exposure. The 5 prior CVEs in this package suggest a pattern of security debt. Although no active exploitation is confirmed, the exploitation barrier is low enough that treat-as-exploited posture is warranted.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
gpt_academic	pip	—	No patch

Do you use gpt_academic? You're affected.

Severity & Risk

CVSS 3.1

9.8 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

Recommended Action

Upgrade gpt_academic to version 3.74 immediately — this is the only confirmed fix (patch commit: 8af6c0cab6d96f5c4520bec85b24802e6e823f35).
If patching is not immediately possible, block all public internet access to the service at the firewall/network layer — restrict to known trusted IPs only.
Audit existing deployments for compromise: look for unexpected outbound connections, new cron jobs, added SSH keys, or unfamiliar processes spawned by the gpt_academic process.
Rotate all LLM API keys (OpenAI, Anthropic, etc.) and other credentials that were accessible to the process.
Review conversation logs for unexpected data access patterns.
There are no known workarounds beyond network isolation and upgrading.

Classification

Code Execution Data Extraction Framework API AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0055 - Unsecured Credentials AML.T0072 - Reverse Shell

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

A.6.2.3 - AI system security

NIST AI RMF

MANAGE 2.2 - Mechanisms are in place and applied to sustain the value of deployed AI systems

OWASP LLM Top 10

LLM03:2025 - Supply Chain

Technical Details

NVD Description

GPT Academic provides interactive interfaces for large language models. A vulnerability was found in gpt_academic versions 3.64 through 3.73. The server deserializes untrustworthy data from the client, which may risk remote code execution. Any device that exposes the GPT Academic service to the Internet is vulnerable. Version 3.74 contains a patch for the issue. There are no known workarounds aside from upgrading to a patched version.

Exploitation Scenario

An adversary scans for internet-exposed gpt_academic instances (trivial via Shodan/Censys or targeted HTTP fingerprinting). They craft a malicious serialized Python object payload and submit it via a standard HTTP request to the vulnerable endpoint — no authentication token or session required. The server deserializes the payload, triggering arbitrary code execution in the context of the running process. The attacker immediately exfiltrates environment variables and config files, harvesting OpenAI or other LLM API keys worth hundreds or thousands of dollars monthly. They install a persistent reverse shell for ongoing access and optionally use the compromised host as a pivot point into internal corporate networks, since researchers frequently run gpt_academic on machines with broader internal access.