CVE-2025-10236
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-11

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability has been found in binary-husky gpt_academic up to 3.91. Impacted is the function merge_tex_files_ of the file crazy_functions/latex_fns/latex_toolbox.py of the component LaTeX File Handler. Such manipulation of the argument \input{} leads to path traversal. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-11
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-09-11
EPSS Evaluated
2026-06-15
NVD
CVE-2025-10236
EUVD
EUVD-2025-28917
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
binary-husky gpt_academic to 3.91 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-10236 is a path traversal vulnerability in the gpt_academic software (up to version 3.91), specifically in the merge_tex_files_ function of the latex_toolbox.py file. The vulnerability occurs because the function improperly handles the \input{} directive in LaTeX files, failing to sanitize file paths. This allows an attacker to craft malicious input with directory traversal sequences (like ../) to access arbitrary files on the server or local filesystem remotely. [1, 2]

Impact Analysis

This vulnerability can impact you by allowing an attacker to read sensitive or confidential files on the server or system where the vulnerable software is running. Since the attack can be launched remotely with low complexity, it poses a risk to confidentiality. There is no impact on integrity or availability reported. The exploit is publicly available, increasing the risk of exploitation. [2]

Detection Guidance

This vulnerability can be detected by analyzing the usage of the `merge_tex_files_` function in the `latex_toolbox.py` file for improper sanitization of the `\input{}` argument. On your system, you can search for `.tex` files that contain suspicious `\input{}` directives with directory traversal patterns such as `../`. For example, you can use the following command to find such patterns in `.tex` files: `grep -r '\\input{\.\./' /path/to/tex/files`. Additionally, monitoring logs for unusual file access patterns or attempts to read files outside expected directories may help detect exploitation attempts. Since a public proof-of-concept exploit is available, testing with crafted `.tex` files containing traversal sequences can also confirm vulnerability presence. [1, 2]

Mitigation Strategies

Immediate mitigation steps include avoiding the use of affected versions of gpt_academic (up to 3.91) and considering alternative products or updated versions if available. Since the vendor has not provided any patches or mitigations, users should restrict access to the vulnerable application, especially limiting remote access. Implementing input validation or sanitization on the `\input{}` argument to prevent directory traversal sequences is recommended if you can modify the source code. Monitoring and blocking suspicious file access attempts can also reduce risk. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-10236. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart