CVE-2024-12994

Name of the Vulnerable Software and Affected Versions running-elephant Datart version 1.0.0-rc3

Description A critical issue affects the extractModel function of the File Upload component, specifically in the /import file. The manipulation of the file argument leads to deserialization. This issue can be exploited remotely. The exploit has been publicly disclosed, and the vendor was notified but did not respond.

Recommendations For running-elephant Datart version 1.0.0-rc3, as a temporary workaround, consider disabling the extractModel function until a patch is available. Restrict access to the File Upload component to minimize the risk of exploitation. Avoid using the file argument in the affected /import endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.