Heartex · Label Studio Community Edition · CVE-2022-36551
**Name of the Vulnerable Software and Affected Versions**
Heartex - Label Studio Community Edition versions 1.5.0 and earlier
**Description**
A Server Side Request Forgery (SSRF) in the Data Import module allows an authenticated user to access arbitrary files on the system. Self-registration is enabled by default, enabling a remote attacker to create a new account and then exploit the SSRF.
**Recommendations**
For versions 1.5.0 and earlier, update to version 1.6.0 to resolve the issue. As a temporary workaround, consider disabling the self-registration feature and restricting access to the Data Import module to minimize the risk of exploitation.