Remote Code Execution in CVAT Serverless Tracker Functions via Unsafe Serialization
A critical remote code execution vulnerability exists in Computer Vision Annotation Tool (CVAT) where an authenticated attacker can run arbitrary code within the Nuclio function container. The vulnerability specifically impacts CVAT deployments running serverless tracker functions like TransT and SiamMask from the CVAT Git repository. Custom tracker functions might also be vulnerable if they use unsafe serialization libraries such as pickle or jsonpickle. To mitigate this risk, users are advised to upgrade to CVAT version 2.26.0 or later. If upgrading is not possible, the recommendation is to shut down any active instances of TransT or SiamMask functions to prevent potential exploitation.
| Vulnerable Product | Search on Vulmon | Subscribe to Product |
|---|---|---|
cvat-ai cvat |
Vulmon