CVE-2022-36551

Name of the Vulnerable Software and Affected Versions Heartex - Label Studio Community Edition versions 1.5.0 and earlier

Description A Server Side Request Forgery (SSRF) in the Data Import module allows an authenticated user to access arbitrary files on the system. Self-registration is enabled by default, enabling a remote attacker to create a new account and then exploit the SSRF.

Recommendations For versions 1.5.0 and earlier, update to version 1.6.0 to resolve the issue. As a temporary workaround, consider disabling the self-registration feature and restricting access to the Data Import module to minimize the risk of exploitation.