CVE-2025-25185 Overview
CVE-2025-25185 is a Symlink Attack vulnerability affecting GPT Academic, an interactive interface platform for large language models. In versions 3.91 and earlier, GPT Academic does not properly account for soft links (symbolic links) when handling uploaded archive files. An attacker can craft a malicious file as a soft link pointing to a target file on the server, package this soft link into a tar.gz archive, and upload it. When the server decompresses and accesses the file, the soft link resolves to the target file on the victim server, enabling unauthorized file access.
Critical Impact
This vulnerability allows unauthenticated remote attackers to read arbitrary files on the server, potentially exposing sensitive configuration files, credentials, and application data through symlink traversal in uploaded archives.
Affected Products
- binary-husky GPT Academic version 3.91 and earlier
- All installations accepting user-uploaded archive files
- Self-hosted GPT Academic deployments with file upload functionality enabled
Discovery Timeline
- 2025-03-03 - CVE-2025-25185 published to NVD
- 2025-03-07 - Last updated in NVD database
Technical Details for CVE-2025-25185
Vulnerability Analysis
This vulnerability falls under CWE-59 (Improper Link Resolution Before File Access), commonly known as a symlink attack. The root issue lies in how GPT Academic processes uploaded archive files without validating whether contained files are symbolic links pointing outside the intended extraction directory.
When a user uploads a tar.gz or similar archive, the application extracts its contents without checking if any files are symlinks. An attacker can exploit this by creating a symlink pointing to a sensitive file such as /etc/passwd, /etc/shadow, or application configuration files containing database credentials or API keys. Once extracted, accessing the uploaded file through the web interface causes the server to follow the symlink and return the contents of the target file.
The vulnerability is exploitable over the network without authentication, and while it does not allow file modification or denial of service, it provides complete read access to files accessible by the application's process user.
Root Cause
The vulnerability stems from insufficient input validation in the archive extraction functionality within shared_utils/handle_upload.py. The original implementation extracted archive contents directly without:
- Checking if file entries are symbolic links
- Validating that extracted paths remain within the intended destination directory
- Sanitizing path traversal sequences in filenames
Attack Vector
An attacker exploits this vulnerability through the following attack chain:
- Create a symbolic link on a local machine pointing to a target file (e.g., ln -s /etc/passwd malicious_link)
- Package the symlink into a tar.gz archive that preserves symlink metadata
- Upload the malicious archive to the GPT Academic instance
- Access the decompressed file through the application interface
- The server follows the symlink and returns the target file's contents
The security patch introduced in commit 5dffe8627f681d7006cebcba27def038bb691949 adds proper validation:
def safe_extract_rar(file_path, dest_dir):
import rarfile
import posixpath
with rarfile.RarFile(file_path) as rf:
os.makedirs(dest_dir, exist_ok=True)
base_path = os.path.abspath(dest_dir)
for file_info in rf.infolist():
orig_filename = file_info.filename
filename = posixpath.normpath(orig_filename).lstrip('/')
# Path traversal protection
if '..' in filename or filename.startswith('../'):
raise Exception(f"Attempted Path Traversal in {orig_filename}")
# Symlink protection
if hasattr(file_info, 'is_symlink') and file_info.is_symlink():
raise Exception(f"Attempted Symlink in {orig_filename}")
# Construct full target path
target_path = os.path.join(base_path, filename)
final_path = os.path.normpath(target_path)
# Final path validation
if not final_path.startswith(base_path):
raise Exception(f"Attempted Path Traversal in {orig_filename}")
rf.extractall(dest_dir)
Source: GitHub Commit Update
Detection Methods for CVE-2025-25185
Indicators of Compromise
- Uploaded archive files containing symbolic links in web server upload directories
- Access logs showing requests for files that resolve to sensitive system paths like /etc/passwd or /etc/shadow
- Unusual file read patterns from the GPT Academic process accessing files outside the application directory
- Archive extraction errors or exceptions related to symlink handling in application logs
Detection Strategies
- Monitor file system access patterns for the GPT Academic process reading files outside its designated directories
- Implement archive inspection rules to flag uploaded tar.gz, tar, or rar files containing symbolic links
- Configure web application firewalls to detect and block archive uploads with suspicious symlink entries
- Review application logs for extraction attempts involving path traversal sequences (../) or symlink resolution
Monitoring Recommendations
- Enable detailed logging for file upload and extraction operations in GPT Academic
- Set up alerts for access to sensitive files like /etc/passwd, application configuration files, or credential stores from the web application process
- Monitor for anomalous data exfiltration patterns where large amounts of system file data are returned in HTTP responses
- Implement file integrity monitoring on critical system files to detect unauthorized access attempts
How to Mitigate CVE-2025-25185
Immediate Actions Required
- Update GPT Academic to a version newer than 3.91 that includes the security patch
- Temporarily disable file upload functionality if immediate patching is not possible
- Review server logs for any evidence of exploitation attempts involving archive uploads
- Audit recently uploaded archive files for suspicious symlink entries
Patch Information
The vulnerability has been addressed in commit 5dffe8627f681d7006cebcba27def038bb691949. Organizations should update their GPT Academic installations by pulling the latest code from the official repository. The patch adds explicit symlink detection and path traversal validation to the archive extraction routines. For detailed information, refer to the GitHub Security Advisory.
Workarounds
- Restrict file upload functionality to authenticated and trusted users only
- Implement external archive scanning that rejects uploads containing symbolic links before they reach the application
- Deploy the application in a containerized environment with minimal file system exposure
- Use operating system-level controls to restrict the GPT Academic process from accessing sensitive system files
# Configuration example - Restrict process file access with AppArmor
# Create /etc/apparmor.d/gpt_academic profile
# Deny access to sensitive system files
deny /etc/shadow r,
deny /etc/passwd r,
deny /root/** r,
# Allow only necessary application paths
/path/to/gpt_academic/** r,
/path/to/upload_dir/** rw,
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
