PT-2025-12124 · Kedro Org · Kedro

Published

2025-03-20

Updated

2025-03-20

CVE-2024-12215

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions kedro-org/kedro version 0.19.8

Description The issue allows remote code execution (RCE) by executing arbitrary commands on the victim's machine. This is possible due to the project wheel metadata() function within the code path of the pull package() API function, which can execute the setup.py file inside a tar file.

Recommendations For version 0.19.8, consider disabling the pull package() API function until a patch is available to prevent remote code execution. Restrict access to the project wheel metadata() function to minimize the risk of exploitation. Avoid using the pull package() function to download and extract micro packages from the Internet until the issue is resolved.

Fix

Code Injection

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94CWE-20CWE-829

Related Identifiers

CVE-2024-12215

GHSA-RM69-WVPV-R2W7

Affected Products

Kedro

PT-2025-12124 · Kedro Org · Kedro

CVE-2024-12215

Weakness Enumeration

Related Identifiers

Affected Products

References · 5