CVE-2024-12387 identifies a vulnerability classified under CWE-409 (Improper Handling of Highly Compressed Data) in the binary-husky/gpt_academic repository. The issue arises when the server accepts compressed file uploads and decompresses them without adequate validation or resource constraints. An attacker can craft a zip bomb—a compressed archive that expands exponentially upon decompression—causing the server to consume excessive memory and crash due to an out-of-memory condition. This vulnerability results from the absence of checks on the decompressed data size or decompression depth, allowing data amplification attacks. The CVSS v3.0 score is 6.5 (medium severity), reflecting that the attack vector is network-based, requires low attack complexity, and privileges (upload permissions), but does not affect confidentiality or integrity, only availability. No user interaction is required beyond the upload. The vulnerability is present in unspecified versions of the product as of the commit referenced. No patches or known exploits are currently available. This vulnerability can be leveraged to cause denial of service, impacting server availability and potentially disrupting dependent services or workflows.

For European organizations, the primary impact is denial of service caused by server crashes when processing maliciously crafted compressed files. This can disrupt business operations, especially for services relying on binary-husky/gpt_academic or similar software components that handle file uploads and decompression. Organizations in sectors such as academia, research, software development, or any that utilize this open-source project or derivatives may experience service outages. The lack of confidentiality or integrity impact reduces the risk of data breaches, but availability interruptions can lead to operational downtime, loss of productivity, and potential reputational damage. In critical infrastructure or public services, such outages could have wider societal impacts. The medium severity indicates a moderate risk that should be addressed promptly to maintain service reliability.

1. Implement strict validation on uploaded compressed files, including limiting maximum decompressed size and depth to prevent zip bombs. 2. Use safe decompression libraries or sandbox decompression processes to isolate resource consumption. 3. Monitor memory and CPU usage during file processing to detect and terminate suspicious decompression tasks early. 4. Enforce authentication and authorization controls to restrict file upload capabilities to trusted users. 5. Employ rate limiting and anomaly detection on upload endpoints to identify and block abuse patterns. 6. Regularly update the binary-husky/gpt_academic software and monitor for official patches addressing this vulnerability. 7. Consider deploying web application firewalls (WAFs) with rules to detect and block zip bomb patterns. 8. Educate developers and administrators about the risks of handling compressed data and best practices for secure file processing.