CVE-2023-33979
CVE-2023-33979 is a medium-severity vulnerability in Binary-husky Gpt Academic with a CVSS 3.x base score of 6.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-200.
Key facts
- Severity: Medium (CVSS 3.x base score 6.5)
- EPSS exploit prediction: 1% (50th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-200
- Affected product: Binary-husky Gpt Academic
- Published:
- Last modified:
Description
gpt_academic provides a graphical interface for ChatGPT/GLM. A vulnerability was found in gpt_academic 3.37 and prior. This issue affects some unknown processing of the component Configuration File Handler. The manipulation of the argument file leads to information disclosure. Since no sensitive files are configured to be off-limits, sensitive information files in some working directories can be read through the `/file` route, leading to sensitive information leakage. This affects users that uses file configurations via `config.py`, `config_private.py`, `Dockerfile`. A patch is available at commit 1dcc2873d2168ad2d3d70afcb453ac1695fbdf02. As a workaround, one may use environment variables instead of `config*.py` files to configure this project, or use docker-compose installation to configure this project.
Frequently asked questions
- What is CVE-2023-33979?
- gpt_academic provides a graphical interface for ChatGPT/GLM. A vulnerability was found in gpt_academic 3.37 and prior. This issue affects some unknown processing of the component Configuration File Handler. The manipulation of the argument file leads to information disclosure. Since no sensitive files are configured to be off-limits, sensitive information files in some working directories can be read through the `/file` route, leading to sensitive information leakage. This affects users that uses file configurations via `config.py`, `config_private.py`, `Dockerfile`. A patch is available at commit 1dcc2873d2168ad2d3d70afcb453ac1695fbdf02. As a workaround, one may use environment variables instead of `config*.py` files to configure this project, or use docker-compose installation to configure this project.
- How severe is CVE-2023-33979?
- CVE-2023-33979 has a CVSS 3.x base score of 6.5, rated medium severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity none, and availability none.
- Is CVE-2023-33979 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (50th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2023-33979?
- CVE-2023-33979 affects Binary-husky Gpt Academic. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2023-33979?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2023-33979 published?
- CVE-2023-33979 was published on 2023-05-31 and last updated on 2026-06-17.
References
- https://github.com/binary-husky/gpt_academic/commit/1dcc2873d2168ad2d3d70afcb453ac1695fbdf02
- https://github.com/binary-husky/gpt_academic/security/advisories/GHSA-pg65-p24m-wf5g
Affected products (1)
- cpe:2.3:a:binary-husky:gpt_academic:*:*:*:*:*:*:*:*
More vulnerabilities in Binary-husky Gpt Academic
- CVE-2026-0764 — Critical (CVSS 9.8): GPT Academic upload Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows…
- CVE-2026-0763 — Critical (CVSS 9.8): GPT Academic run_in_subprocess_wrapper_func Deserialization of Untrusted Data Remote Code Execution Vulnerability. This…
- CVE-2024-31224 — Critical (CVSS 9.8): GPT Academic provides interactive interfaces for large language models. A vulnerability was found in gpt_academic…
- CVE-2024-12390 — High (CVSS 8.8): A vulnerability in binary-husky/gpt_academic version git 310122f allows for remote code execution. The application…
- CVE-2024-12389 — High (CVSS 8.8): A path traversal vulnerability exists in binary-husky/gpt_academic version git 310122f. The application supports the…
- CVE-2024-11039 — High (CVSS 8.8): A pickle deserialization vulnerability exists in the Latex English error correction plug-in function of…
All CVEs affecting Binary-husky Gpt Academic →
Other CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) vulnerabilities
- CVE-2026-27604 — Critical (CVSS 10.0): FOSSBilling is a free, open-source billing and client management system. Starting in version 0.5.4 and prior to version…
- CVE-2026-40965 — Critical (CVSS 10.0): Cloud Foundry UAA versions v76.12.0 through v78.12.0 are vulnerable to a private key exposure. The server contains a…
- CVE-2026-42826 — Critical (CVSS 10.0): Exposure of sensitive information to an unauthorized actor in Azure DevOps allows an unauthorized attacker to disclose…
- CVE-2025-29270 — Critical (CVSS 10.0): Incorrect access control in the realtime.cgi endpoint of Deep Sea Electronics devices DSE855 v1.1.0 to v1.1.26 allows…
- CVE-2025-61481 — Critical (CVSS 10.0): An issue in MikroTik RouterOS v.7.14.2 and SwOS v.2.18 exposes the WebFig management interface over cleartext HTTP by…
- CVE-2025-53624 — Critical (CVSS 10.0): The Docusaurus gists plugin adds a page to your Docusaurus instance, displaying all public gists of a GitHub user.…
Browse all CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) vulnerabilities →