Description

Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. An attacker with an account on an affected CVAT instance is able to run arbitrary code in the context of the Nuclio function container. This vulnerability affects CVAT deployments that run any of the serverless functions of type tracker from the CVAT Git repository, namely TransT and SiamMask. Deployments with custom functions of type tracker may also be affected, depending on how they handle state serialization. If a function uses an unsafe serialization library such as pickle or jsonpickle, it's likely to be vulnerable. Upgrade to CVAT 2.26.0 or later. If you are unable to upgrade, shut down any instances of the TransT or SiamMask functions you're running.

INFO

Published Date :

2025-01-28T15:19:26.196Z

Last Modified :

2025-01-28T16:16:54.414Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-23045 vulnerability.

Vendors Products
Cvat
  • Computer Vision Annotation Tool
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-23045.

URL Resource
https://github.com/cvat-ai/cvat/commit/563e1dfde64b15fa042b23f9d09cd854b35f0366 cve-icon cve-icon
https://github.com/cvat-ai/cvat/security/advisories/GHSA-wq36-mxf8-hv62 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact