Strix
26.1K

CVE-2024-12391

MEDIUMCVSS 6.5/10EPSS 0.85%

Last modified

CVE-2024-12391 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. A vulnerability in binary-husky/gpt_academic, as of commit 310122f, allows for a Regular Expression Denial of Service (ReDoS) attack. The function '解析项目源码(手动指定和筛选源码文件类型)' permits the execution of user-provided regular expressions. EPSS estimates a 0.85% chance of exploitation in the next 30 days.

Description

A vulnerability in binary-husky/gpt_academic, as of commit 310122f, allows for a Regular Expression Denial of Service (ReDoS) attack. The function '解析项目源码(手动指定和筛选源码文件类型)' permits the execution of user-provided regular expressions. Certain regular expressions can cause the Python RE engine to take exponential time to execute, leading to a Denial of Service (DoS) condition. An attacker who controls both the regular expression and the search string can exploit this vulnerability to hang the server for an arbitrary amount of time.

Metrics

CVSS 3.0
6.5/10

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS Probability
0.85%

53.4th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
Binary-HuskyGpt Academic2024-10-15

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2024-12391?
A vulnerability in binary-husky/gpt_academic, as of commit 310122f, allows for a Regular Expression Denial of Service (ReDoS) attack. The function '解析项目源码(手动指定和筛选源码文件类型)' permits the execution of user-provided regular expressions. Certain regular expressions can cause the Python RE engine to take exponential time to execute, leading to a Denial of Service (DoS) condition. An attacker who controls both the regular expression and the search string can exploit this vulnerability to hang the server for an arbitrary amount of time.
How severe is CVE-2024-12391?
CVE-2024-12391 has a CVSS score of 6.5/10 (MEDIUM severity). The EPSS model estimates a 0.85% probability of exploitation in the next 30 days.
How do I fix CVE-2024-12391?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2024-12391?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST