CVE-2025-25185: gpt_academic: symlink traversal exposes all server files

HIGH PoC AVAILABLE CISA: TRACK*
Published March 3, 2025
CISO Take

GPT Academic ≤3.91 contains an unauthenticated path traversal vulnerability (CWE-59) where an attacker packages a malicious symlink inside a tar.gz, uploads it through the application's file upload feature — no login required — and reads any file the web process can access, including .env files, API keys, SSH private keys, and database credentials. With a CVSS of 7.5, zero privileges required, a network-accessible attack vector, low complexity, and a public PoC already published, the risk of exploitation is high for any internet-facing deployment. This package has accumulated 5 CVEs, indicating a pattern of insufficient security attention in the codebase. Organizations running GPT Academic should apply the patch at commit 5dffe862 immediately; if patching is not immediately possible, disable file upload functionality or place the instance behind VPN/HTTP authentication, and rotate all credentials stored on servers that ran a public-facing vulnerable instance.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

High risk. The attack chain is trivially simple — craft a symlink, tar it, upload it, read the file — and a working PoC is publicly available. No authentication is required and there is no user interaction needed, meaning automated scanning and exploitation is realistic. The read-everything impact means credentials for downstream AI APIs (OpenAI, Anthropic, Google), database passwords, and private user conversation data are all in scope. Deploying this on shared infrastructure multiplies the blast radius well beyond the GPT Academic application itself.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
GPT Academic pip No patch

Do you use GPT Academic? You're affected.

How severe is it?

CVSS 3.1
7.5 / 10
EPSS
0.6%
chance of exploitation in 30 days
Higher than 44% of all CVEs
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I None
A None

What should I do?

5 steps
  1. Patch immediately: upgrade past commit 5dffe8627f681d7006cebcba27def038bb691949 (fix validated in GHSA-gqp5-wm97-qxcv).

  2. Interim workaround: disable the file upload/decompression feature in GPT Academic's configuration if upgrading cannot be done immediately.

  3. Network hardening: restrict the application to authenticated users (HTTP basic auth, VPN, or Cloudflare Access) — the CVSS PR:N score assumes unauthenticated reach.

  4. Detection: audit web server access logs for POST requests to archive upload endpoints followed by GET requests resolving paths outside the expected working directory; alert on responses serving content from /etc/, /root/, or application root .env files.

  5. Credential rotation: any server that ran a public-facing vulnerable instance should be treated as compromised — rotate all API keys, DB passwords, and SSH keys stored on that host.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.8.2 - Controls for AI system inputs
NIST AI RMF
MANAGE 2.2 - Risk Treatment — Vulnerability Remediation
OWASP LLM Top 10
LLM06 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2025-25185?

GPT Academic ≤3.91 contains an unauthenticated path traversal vulnerability (CWE-59) where an attacker packages a malicious symlink inside a tar.gz, uploads it through the application's file upload feature — no login required — and reads any file the web process can access, including .env files, API keys, SSH private keys, and database credentials. With a CVSS of 7.5, zero privileges required, a network-accessible attack vector, low complexity, and a public PoC already published, the risk of exploitation is high for any internet-facing deployment. This package has accumulated 5 CVEs, indicating a pattern of insufficient security attention in the codebase. Organizations running GPT Academic should apply the patch at commit 5dffe862 immediately; if patching is not immediately possible, disable file upload functionality or place the instance behind VPN/HTTP authentication, and rotate all credentials stored on servers that ran a public-facing vulnerable instance.

Is CVE-2025-25185 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-25185, increasing the risk of exploitation.

How to fix CVE-2025-25185?

1. Patch immediately: upgrade past commit 5dffe8627f681d7006cebcba27def038bb691949 (fix validated in GHSA-gqp5-wm97-qxcv). 2. Interim workaround: disable the file upload/decompression feature in GPT Academic's configuration if upgrading cannot be done immediately. 3. Network hardening: restrict the application to authenticated users (HTTP basic auth, VPN, or Cloudflare Access) — the CVSS PR:N score assumes unauthenticated reach. 4. Detection: audit web server access logs for POST requests to archive upload endpoints followed by GET requests resolving paths outside the expected working directory; alert on responses serving content from /etc/, /root/, or application root .env files. 5. Credential rotation: any server that ran a public-facing vulnerable instance should be treated as compromised — rotate all API keys, DB passwords, and SSH keys stored on that host.

What systems are affected by CVE-2025-25185?

This vulnerability affects the following AI/ML architecture patterns: Self-hosted LLM frontends, LLM-powered research assistants, File-processing AI pipelines, Web-based AI interfaces with upload functionality.

What is the CVSS score for CVE-2025-25185?

CVE-2025-25185 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.59%.

What is the AI security impact?

Affected AI Architectures

Self-hosted LLM frontendsLLM-powered research assistantsFile-processing AI pipelinesWeb-based AI interfaces with upload functionality

MITRE ATLAS Techniques

AML.T0025 Exfiltration via Cyber Means
AML.T0037 Data from Local System
AML.T0049 Exploit Public-Facing Application
AML.T0055 Unsecured Credentials

Compliance Controls Affected

EU AI Act: Art. 15
ISO 42001: A.8.2
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

GPT Academic provides interactive interfaces for large language models. In 3.91 and earlier, GPT Academic does not properly account for soft links. An attacker can create a malicious file as a soft link pointing to a target file, then package this soft link file into a tar.gz file and upload it. Subsequently, when accessing the decompressed file from the server, the soft link will point to the target file on the victim server. The vulnerability allows attackers to read all files on the server.

Exploitation Scenario

An attacker queries Shodan or GreyNoise for GPT Academic's HTTP fingerprint (application title or specific UI endpoints) and finds a public instance. They create a symlink named report.txt pointing to /proc/1/environ or ../../.env, package it with tar czf payload.tar.gz report.txt, and POST it to the application's file upload endpoint — no session token required. The server extracts the archive to its working directory. The attacker then accesses the decompressed file via the application's file viewer, and the OS resolves the symlink, returning the contents of the environment file containing OPENAI_API_KEY, DATABASE_URL, and other secrets. The attacker iterates through /etc/passwd, ~/.ssh/id_rsa, and application config paths within minutes using a simple loop, achieving full credential harvest with no special tooling.

Weaknesses (CWE)

CWE-59 — Improper Link Resolution Before File Access ('Link Following'): The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

  • [Architecture and Design] Follow the principle of least privilege when assigning access rights to entities in a software system. Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Timeline

Published
March 3, 2025
Last Modified
March 7, 2025
First Seen
March 3, 2025

Related Vulnerabilities