CVE-2025-10236 - Vulnerability Details

- binary-husky gpt_academic LaTeX File latex_toolbox.py merge_tex_files_ path traversal

Description

A vulnerability has been found in binary-husky gpt_academic up to 3.91. Impacted is the function merge_tex_files_ of the file crazy_functions/latex_fns/latex_toolbox.py of the component LaTeX File Handler. Such manipulation of the argument \input{} leads to path traversal. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Published: 2025-09-11

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

binary-husky

gpt_academic

affected

Version	Status	Constraints
`3.0`	affected	—
`3.1`	affected	—
`3.2`	affected	—
`3.3`	affected	—
`3.4`	affected	—
`3.5`	affected	—
`3.6`	affected	—
`3.7`	affected	—
`3.8`	affected	—
`3.9`	affected	—
`3.10`	affected	—
`3.11`	affected	—
`3.12`	affected	—
`3.13`	affected	—
`3.14`	affected	—
`3.15`	affected	—
`3.16`	affected	—
`3.17`	affected	—
`3.18`	affected	—
`3.19`	affected	—
`3.20`	affected	—
`3.21`	affected	—
`3.22`	affected	—
`3.23`	affected	—
`3.24`	affected	—
`3.25`	affected	—
`3.26`	affected	—
`3.27`	affected	—
`3.28`	affected	—
`3.29`	affected	—
`3.30`	affected	—
`3.31`	affected	—
`3.32`	affected	—
`3.33`	affected	—
`3.34`	affected	—
`3.35`	affected	—
`3.36`	affected	—
`3.37`	affected	—
`3.38`	affected	—
`3.39`	affected	—
`3.40`	affected	—
`3.41`	affected	—
`3.42`	affected	—
`3.43`	affected	—
`3.44`	affected	—
`3.45`	affected	—
`3.46`	affected	—
`3.47`	affected	—
`3.48`	affected	—
`3.49`	affected	—
`3.50`	affected	—
`3.51`	affected	—
`3.52`	affected	—
`3.53`	affected	—
`3.54`	affected	—
`3.55`	affected	—
`3.56`	affected	—
`3.57`	affected	—
`3.58`	affected	—
`3.59`	affected	—
`3.60`	affected	—
`3.61`	affected	—
`3.62`	affected	—
`3.63`	affected	—
`3.64`	affected	—
`3.65`	affected	—
`3.66`	affected	—
`3.67`	affected	—
`3.68`	affected	—
`3.69`	affected	—
`3.70`	affected	—
`3.71`	affected	—
`3.72`	affected	—
`3.73`	affected	—
`3.74`	affected	—
`3.75`	affected	—
`3.76`	affected	—
`3.77`	affected	—
`3.78`	affected	—
`3.79`	affected	—
`3.80`	affected	—
`3.81`	affected	—
`3.82`	affected	—
`3.83`	affected	—
`3.84`	affected	—
`3.85`	affected	—
`3.86`	affected	—
`3.87`	affected	—
`3.88`	affected	—
`3.89`	affected	—
`3.90`	affected	—
`3.91`	affected	—

Configuration 1 [-]

cpe:2.3:a:binary-husky:gpt_academic:*:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Binary-husky	Gpt Academic	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-28917	A vulnerability has been found in binary-husky gpt_academic up to 3.91. Impacted is the function merge_tex_files_ of the file crazy_functions/latex_fns/latex_toolbox.py of the component LaTeX File Handler. Such manipulation of the argument \input{} leads to path traversal. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00125.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/d3do-23/cvelist/blob/main/gpt_academic/Plugins_LFI.md
https://vuldb.com/?ctiid.323505
https://vuldb.com/?id.323505
https://vuldb.com/?submit.640977

History

Fri, 31 Oct 2025 14:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:binary-husky:gpt_academic::::::::

Thu, 11 Sep 2025 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 11 Sep 2025 10:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Binary-husky Binary-husky gpt Academic
Vendors & Products		Binary-husky Binary-husky gpt Academic

Thu, 11 Sep 2025 01:45:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability has been found in binary-husky gpt_academic up to 3.91. Impacted is the function merge_tex_files_ of the file crazy_functions/latex_fns/latex_toolbox.py of the component LaTeX File Handler. Such manipulation of the argument \input{} leads to path traversal. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title		binary-husky gpt_academic LaTeX File latex_toolbox.py merge_tex_files_ path traversal
Weaknesses		CWE-22
References		https://github.com/d3do-23/cvelist/blob/main/gpt_academic/Plugins_LFI.md https://vuldb.com/?ctiid.323505 https://vuldb.com/?id.323505 https://vuldb.com/?submit.640977
Metrics		cvssV2_0 `{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Binary-husky Gpt Academic

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2025-09-11T01:02:07.190Z

Updated: 2025-09-11T13:22:17.633Z

Reserved: 2025-09-10T14:15:32.218Z

Link: CVE-2025-10236

Vulnrichment

Updated: 2025-09-11T13:22:13.295Z

NVD

Status : Analyzed

Published: 2025-09-11T02:15:29.353

Modified: 2026-04-29T01:00:01.613

Link: CVE-2025-10236

Redhat

No data.

OpenCVE Enrichment

Updated: 2025-09-11T10:42:37Z

Weaknesses

CWE-22

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object