| Titre | HumanSignal label-studio-ml-backend 0.0 Deserialization |
|---|
| Description | The Label Studio ML backend is an SDK that lets you wrap your machine learning code and turn it into a web server.
The function `load` in the given code is vulnerable to CWE - 502: Deserialization of Untrusted Data. It uses `torch.load` to deserialize data from the specified `path` without any validation. When `torch.load` is used to load malicious pickle data, arbitrary code can be executed during the deserialization process. This is because pickle data can contain executable code, and if the data is untrusted, it can lead to serious security risks such as remote code execution on the system running this code.
More details: https://github.com/HumanSignal/label-studio-ml-backend/issues/765 |
|---|
| La source | ⚠️ https://github.com/HumanSignal/label-studio-ml-backend/issues/765 |
|---|
| Utilisateur | ybdesire (UID 83239) |
|---|
| Soumission | 15/05/2025 16:24 (il y a 11 mois) |
|---|
| Modérer | 25/05/2025 15:35 (10 days later) |
|---|
| Statut | Accepté |
|---|
| Entrée VulDB | 310261 [HumanSignal label-studio-ml-backend PT File neural_nets.py load path élévation de privilèges] |
|---|
| Points | 20 |
|---|