PT-2026-40122 · Pypi · Imgaug
Published
2026-05-12
·
Updated
2026-05-12
·
CVE-2026-31235
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
imgaug versions prior to 0.4.0
Description
Insecure deserialization occurs in the
BackgroundAugmenter class within the multicore.py module. The augment images worker() function uses Python's pickle module to deserialize data from a multiprocessing queue without safety checks. An attacker capable of influencing the queue data can provide a malicious pickle payload, which, upon deserialization, allows for arbitrary code execution in the context of the worker process.Recommendations
Update to a version later than 0.4.0.
As a temporary workaround, restrict access to the
BackgroundAugmenter class or the augment images worker() function to minimize the risk of exploitation.Fix
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Imgaug