PT-2025-12125 · Unknown · Dmlc/Gluon-Cv

Published

2025-03-20

Updated

2025-03-21

CVE-2024-12216

CVSS v3.1

7.1

High

Vector

AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

Name of the Vulnerable Software and Affected Versions dmlc/gluon-cv version 0.10.0

Description A vulnerability in the ImageClassificationDataset.from csv() API allows for arbitrary file write. The function downloads and extracts tar.gz files from URLs without proper sanitization, making it susceptible to a TarSlip vulnerability. Attackers can exploit this by crafting malicious tar files that, when extracted, can overwrite files on the victim's system via path traversal or faked symlinks.

Recommendations As a temporary workaround, consider disabling the ImageClassificationDataset.from csv() function until a patch is available. Restrict access to the dmlc/gluon-cv repository version 0.10.0 to minimize the risk of exploitation. Avoid using the ImageClassificationDataset.from csv() API in the affected version until the issue is resolved.

Fix

Path traversal

Link Following

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22CWE-59CWE-20

Related Identifiers

CVE-2024-12216

GHSA-M724-HQMC-GGPX

Affected Products

Dmlc/Gluon-Cv

PT-2025-12125 · Unknown · Dmlc/Gluon-Cv

CVE-2024-12216

Weakness Enumeration

Related Identifiers

Affected Products

References · 6