PT-2025-4790 · Cvat+1 · Cvat+1
Speclad
·
Published
2025-01-28
·
Updated
2025-09-16
·
CVE-2025-23045
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Computer Vision Annotation Tool (CVAT) versions prior to 2.26.0
Description
The issue allows an attacker with an account on an affected CVAT instance to run arbitrary code in the context of the Nuclio function container. This affects CVAT deployments that run serverless functions of type tracker from the CVAT Git repository, such as TransT and SiamMask. Deployments with custom functions of type tracker may also be affected if they use an unsafe serialization library like
pickle or jsonpickle.Recommendations
Upgrade to CVAT 2.26.0 or later.
If you are unable to upgrade, shut down any instances of the TransT or SiamMask functions you're running.
Exploit
Fix
RCE
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Cvat
Nuclio