CVE-2025-55149: TinyScientist has Path Traversal Vulnerability in PDF Review Function (CWE-22)

August 11, 2025

A critical path traversal vulnerability (CWE-22) has been identified in the review_paper function in backend/app.py. The vulnerability allows malicious users to access arbitrary PDF files on the server by providing crafted file paths that bypass the intended security restrictions.

References

github.com/advisories/GHSA-rrgf-hcr9-jq6h
github.com/ulab-uiuc/tiny-scientist
github.com/ulab-uiuc/tiny-scientist/commit/7fd42873603012acb8c55a4fc3eaac9ab18e6559
github.com/ulab-uiuc/tiny-scientist/security/advisories/GHSA-rrgf-hcr9-jq6h
nvd.nist.gov/vuln/detail/CVE-2025-55149

Code Behaviors & Features

Detect and mitigate CVE-2025-55149 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →