Description

Tiny-Scientist is a lightweight framework for automating the entire lifecycle of scientific research—from ideation to implementation, writing, and review. In versions 0.1.1 and below, a critical path traversal vulnerability has been identified in the review_paper function in backend/app.py. The vulnerability allows malicious users to access arbitrary PDF files on the server by providing crafted file paths that bypass the intended security restrictions. This vulnerability allows attackers to: read any PDF file accessible to the server process, potentially access sensitive documents outside the intended directory and perform reconnaissance on the server's file system structure. This issue does not currently have a fix.

INFO

Published Date :

2025-08-09T02:02:30.630Z

Last Modified :

2025-08-11T14:03:29.406Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-55149 vulnerability.

Vendors Products
Tiny-scientist Project
  • Tiny-scientist
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-55149.

URL Resource
https://github.com/ulab-uiuc/tiny-scientist/security/advisories/GHSA-rrgf-hcr9-jq6h cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability