| タイトル | HumanSignal label-studio-ml-backend 0.0 Deserialization |
|---|
| 説明 | The Label Studio ML backend is an SDK that lets you wrap your machine learning code and turn it into a web server.
The function `load` in the given code is vulnerable to CWE - 502: Deserialization of Untrusted Data. It uses `torch.load` to deserialize data from the specified `path` without any validation. When `torch.load` is used to load malicious pickle data, arbitrary code can be executed during the deserialization process. This is because pickle data can contain executable code, and if the data is untrusted, it can lead to serious security risks such as remote code execution on the system running this code.
More details: https://github.com/HumanSignal/label-studio-ml-backend/issues/765 |
|---|
| ソース | ⚠️ https://github.com/HumanSignal/label-studio-ml-backend/issues/765 |
|---|
| ユーザー | ybdesire (UID 83239) |
|---|
| 送信 | 2025年05月15日 16:24 (11 月 ago) |
|---|
| モデレーション | 2025年05月25日 15:35 (10 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 310261 [HumanSignal label-studio-ml-backend 迄 9fb7f4aa186612806af2becfb621f6ed8d9fdbaf PT File neural_nets.py load path 特権昇格] |
|---|
| ポイント | 20 |
|---|