CVE-2025-5150

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions docarray versions up to 0.40.1

Description A critical issue affects the getitem function of the /docarray/data/torch dataset.py file in the Web API component. This issue leads to improperly controlled modification of object prototype attributes, also known as 'prototype pollution'. The attack can be launched remotely.

Recommendations For versions up to 0.40.1, as a temporary workaround, consider disabling the getitem function until a patch is available. Restrict access to the /docarray/data/torch dataset.py file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Prototype Pollution

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1321CWE-94

Related Identifiers

CVE-2025-5150

GHSA-J9WP-865G-RF48

Affected Products

Docarray

CVE-2025-5150

Weakness Enumeration

Related Identifiers

Affected Products

References · 12