CVE-2024-37743

| EUVD-2024-54696 CRITICAL
2025-06-24 [email protected]
RCE Knowledgegpt
9.8
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 15, 2026 - 22:36 vuln.today
EUVD ID Assigned
Mar 15, 2026 - 22:36 euvd
EUVD-2024-54696
CVE Published
Jun 24, 2025 - 20:15 nvd
CRITICAL 9.8

DescriptionNVD

An issue in mmzdev KnowledgeGPT V.0.0.5 allows a remote attacker to execute arbitrary code via the Document Display Component.

AnalysisAI

CVE-2024-37743 is a critical remote code execution vulnerability in mmzdev KnowledgeGPT v0.0.5 that allows unauthenticated attackers to execute arbitrary code through a flaw in the Document Display Component. The vulnerability has a CVSS score of 9.8 and CWE-94 classification (improper control of generation of code), indicating unsafe code generation or deserialization. Given the high CVSS and network-accessible attack vector with no authentication requirements, this represents an actively exploitable critical risk to any organization running the affected version.

Technical ContextAI

The vulnerability stems from CWE-94 (Improper Control of Generation of Code, 'Code Injection'), which typically involves unsafe handling of user-controlled input in code generation, template processing, or object deserialization contexts. In mmzdev KnowledgeGPT v0.0.5, the Document Display Component—responsible for rendering and processing uploaded or referenced documents—fails to properly sanitize or validate document content before processing. This likely allows attackers to inject malicious code through crafted document payloads. The vulnerability may involve unsafe deserialization of document objects, template injection in document rendering engines, or direct code generation from document metadata. KnowledgeGPT is a document intelligence platform integrating large language models with document processing; the Document Display Component handles parsing and rendering of multiple document formats (PDF, DOCX, etc.), creating a high-risk attack surface when input validation is inadequate.

RemediationAI

Immediate actions: (1) Upgrade mmzdev KnowledgeGPT to a patched version greater than 0.0.5—check mmzdev's official repository and security advisories for the next available release. (2) If upgrade is not immediately possible, implement network-level controls: restrict access to KnowledgeGPT instances to trusted IP ranges, deploy WAF rules to block malicious document uploads, and disable the Document Display Component if not critical to operations. (3) Implement input validation: if source code is available, audit and patch the Document Display Component to sanitize document content and avoid unsafe deserialization. (4) Monitor for exploitation: enable logging for document upload/processing events and search logs for suspicious activity patterns. (5) Contact mmzdev (https://github.com/mmzdev or official channels) for patch availability, release timeline, and any interim mitigations. Patch application should be prioritized as critical within 24-48 hours.

Share

CVE-2024-37743 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy