CVE-2025-49135

Name of the Vulnerable Software and Affected Versions: CVAT versions 2.2.0 through 2.39.0

Description: CVAT is an open source interactive video and image annotation tool for computer vision. The issue arises from the lack of validation during the import process of a project or task backup, allowing an attacker with a CVAT account and a user role to potentially access and steal data by creating projects or tasks using files belonging to other users, if they know the filenames of those uploads. This issue does not affect annotation or dataset TUS uploads.

Recommendations: For CVAT versions 2.2.0 through 2.39.0, upgrade to CVAT 2.40.0 or a later version to receive a patch. As a temporary workaround, consider restricting access to the import process of project or task backups to minimize the risk of exploitation.