CVE-2024-10956

HighPublic PoC

Published: 20 March 2025

Published

20 March 2025

Modified

15 July 2025

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N

EPSS Score 0.0008 23.8th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

Security Summary

CVE-2024-10956 is a Cross-Site WebSocket Hijacking (CSWSH) vulnerability affecting GPT Academy version 3.83 in the binary-husky/gpt_academic GitHub repository. The flaw stems from insufficient WebSocket authentication and lack of origin validation, enabling attackers to hijack existing WebSocket connections between a victim's browser and the server. It carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N) and is associated with CWE-346 (Origin Validation Error).

An attacker can exploit this vulnerability without privileges by tricking a victim into visiting a malicious webpage via social engineering or other means requiring user interaction. Once the victim loads the attacker's page, it hijacks the active WebSocket connection to the GPT Academy server, allowing unauthorized actions such as deleting the victim's conversation history without consent. This results in high integrity impact with low confidentiality impact and no availability disruption.

Mitigation details and additional technical analysis are provided in the Huntr advisory at https://huntr.com/bounties/0f8403ad-5f60-4eb9-9f51-8fbd2e41eda4.

Details

CWE(s): CWE-346

Affected Products

binary-husky

gpt academic

3.83

AI Security Analysis

AI Category: Enterprise AI Assistants
Risk Domain: Protocol-Specific Risks
OWASP Top 10 for LLMs 2025: None mapped
MITRE ATLAS Techniques: None mapped
Classification Reason: GPT Academy is a web-based application in the binary-husky/gpt_academic repository, functioning as an AI assistant platform using GPT models, with the vulnerability in its WebSocket interface for managing conversation history.

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

CVE-2024-10956 is a CSWSH vulnerability in a public-facing web application (GPT Academy), enabling attackers to exploit lack of WebSocket origin validation and authentication to hijack connections from victims' browsers and perform unauthorized actions like deleting data.

References

https://huntr.com/bounties/0f8403ad-5f60-4eb9-9f51-8fbd2e41eda4
Exploit, Third Party Advisory · security@huntr.dev