High

gpt_academic

Prompt Injection Leading to RCE in Code Interpreter Plugin

A vulnerability in the Code Interpreter plugin of gpt_academic (version <= 3.83) allows for remote code execution (RCE) via prompt injection. The issue arises from executing user-provided prompts without proper sandboxing. The vulnerability has not been patched as of the report.

Available publicly on Jan 01 2025

8.8

CVE:

CVE-2024-10950

CWE:

94:Improper Control of Generation of Code

CVSS:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Credit:

lyutoon
AssessDetect

Premium

Remediate
Remediation Steps
  1. Implement proper sandboxing for executing user-provided prompts to ensure that generated code cannot perform harmful actions.
  2. Validate and sanitize user inputs to prevent injection of malicious code.
  3. Update the application to the latest version once a patch is available.
  4. Regularly review and test the security of plugins and other components that execute user-provided code.
Patch Details
  • Fixed Version: N/A
  • Patch Commit: N/A
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.