CVE-2024-31224: gpt_academic: deserialization RCE, no auth required

CRITICAL PoC AVAILABLE CISA: TRACK*
Published April 8, 2024
CISO Take

GPT Academic versions 3.64–3.73 contain a critical insecure deserialization flaw (CWE-502) that lets any unauthenticated remote attacker execute arbitrary code on the host — no credentials, no user interaction, just a crafted network request. The CVSS 9.8 score reflects the worst possible attack profile (AV:N/AC:L/PR:N/UI:N/C:H/I:H/A:H), and while no public exploit or CISA KEV listing exists yet, deserialization RCE is a well-documented, low-skill exploitation class with tooling widely available. GPT Academic is commonly deployed by researchers and developers without enterprise hardening, making internet-exposed instances highly probable and directly at risk. Patch to version 3.74 immediately; if patching is delayed, restrict the service to trusted IPs via firewall and rotate all LLM API keys stored on the host.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

Critical risk. The combination of network-accessible, zero-authentication, zero-interaction RCE against an LLM frontend framework represents full host compromise on first exploit attempt. GPT Academic instances are typically self-hosted by individuals or small teams who may deprioritize patching, increasing dwell-time exposure. The 5 prior CVEs in this package suggest a pattern of security debt. Although no active exploitation is confirmed, the exploitation barrier is low enough that treat-as-exploited posture is warranted.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
GPT Academic pip No patch

Do you use GPT Academic? You're affected.

How severe is it?

CVSS 3.1
9.8 / 10
EPSS
1.2%
chance of exploitation in 30 days
Higher than 65% of all CVEs
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A High

What should I do?

6 steps
  1. Upgrade gpt_academic to version 3.74 immediately — this is the only confirmed fix (patch commit: 8af6c0cab6d96f5c4520bec85b24802e6e823f35).

  2. If patching is not immediately possible, block all public internet access to the service at the firewall/network layer — restrict to known trusted IPs only.

  3. Audit existing deployments for compromise: look for unexpected outbound connections, new cron jobs, added SSH keys, or unfamiliar processes spawned by the gpt_academic process.

  4. Rotate all LLM API keys (OpenAI, Anthropic, etc.) and other credentials that were accessible to the process.

  5. Review conversation logs for unexpected data access patterns.

  6. There are no known workarounds beyond network isolation and upgrading.

What does CISA's SSVC say?

Decision Track*
Exploitation none
Automatable Yes
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 9 - Risk management system
ISO 42001
A.6.2.3 - AI system security
NIST AI RMF
MANAGE 2.2 - Mechanisms are in place and applied to sustain the value of deployed AI systems
OWASP LLM Top 10
LLM03:2025 - Supply Chain

Frequently Asked Questions

What is CVE-2024-31224?

GPT Academic versions 3.64–3.73 contain a critical insecure deserialization flaw (CWE-502) that lets any unauthenticated remote attacker execute arbitrary code on the host — no credentials, no user interaction, just a crafted network request. The CVSS 9.8 score reflects the worst possible attack profile (AV:N/AC:L/PR:N/UI:N/C:H/I:H/A:H), and while no public exploit or CISA KEV listing exists yet, deserialization RCE is a well-documented, low-skill exploitation class with tooling widely available. GPT Academic is commonly deployed by researchers and developers without enterprise hardening, making internet-exposed instances highly probable and directly at risk. Patch to version 3.74 immediately; if patching is delayed, restrict the service to trusted IPs via firewall and rotate all LLM API keys stored on the host.

Is CVE-2024-31224 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-31224, increasing the risk of exploitation.

How to fix CVE-2024-31224?

1. Upgrade gpt_academic to version 3.74 immediately — this is the only confirmed fix (patch commit: 8af6c0cab6d96f5c4520bec85b24802e6e823f35). 2. If patching is not immediately possible, block all public internet access to the service at the firewall/network layer — restrict to known trusted IPs only. 3. Audit existing deployments for compromise: look for unexpected outbound connections, new cron jobs, added SSH keys, or unfamiliar processes spawned by the gpt_academic process. 4. Rotate all LLM API keys (OpenAI, Anthropic, etc.) and other credentials that were accessible to the process. 5. Review conversation logs for unexpected data access patterns. 6. There are no known workarounds beyond network isolation and upgrading.

What systems are affected by CVE-2024-31224?

This vulnerability affects the following AI/ML architecture patterns: Self-hosted LLM frontends, Research and development LLM environments, LLM API proxy deployments, Multi-user LLM interface servers.

What is the CVSS score for CVE-2024-31224?

CVE-2024-31224 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 1.21%.

What is the AI security impact?

Affected AI Architectures

Self-hosted LLM frontendsResearch and development LLM environmentsLLM API proxy deploymentsMulti-user LLM interface servers

MITRE ATLAS Techniques

AML.T0037 Data from Local System
AML.T0049 Exploit Public-Facing Application
AML.T0050 Command and Scripting Interpreter
AML.T0055 Unsecured Credentials
AML.T0072 Reverse Shell

Compliance Controls Affected

EU AI Act: Article 9
ISO 42001: A.6.2.3
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM03:2025

What are the technical details?

Original Advisory

GPT Academic provides interactive interfaces for large language models. A vulnerability was found in gpt_academic versions 3.64 through 3.73. The server deserializes untrustworthy data from the client, which may risk remote code execution. Any device that exposes the GPT Academic service to the Internet is vulnerable. Version 3.74 contains a patch for the issue. There are no known workarounds aside from upgrading to a patched version.

Exploitation Scenario

An adversary scans for internet-exposed gpt_academic instances (trivial via Shodan/Censys or targeted HTTP fingerprinting). They craft a malicious serialized Python object payload and submit it via a standard HTTP request to the vulnerable endpoint — no authentication token or session required. The server deserializes the payload, triggering arbitrary code execution in the context of the running process. The attacker immediately exfiltrates environment variables and config files, harvesting OpenAI or other LLM API keys worth hundreds or thousands of dollars monthly. They install a persistent reverse shell for ongoing access and optionally use the compromised host as a pivot point into internal corporate networks, since researchers frequently run gpt_academic on machines with broader internal access.

Weaknesses (CWE)

CWE-502 — Deserialization of Untrusted Data: The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

  • [Architecture and Design, Implementation] If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
  • [Implementation] When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

Published
April 8, 2024
Last Modified
November 4, 2025
First Seen
April 8, 2024

Related Vulnerabilities