Main Vulnerability Database SB2025012872

SB2025012872 - Deserialization of Untrusted Data in Computer Vision Annotation Tool (CVAT)

Published: January 28, 2025 Updated: May 21, 2026

Security Bulletin ID SB2025012872

CSH Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Deserialization of Untrusted Data (CVE-ID: CVE-2025-23045)

CWE-ID: CWE-502 - Deserialization of Untrusted Data

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to deserialization of untrusted data in tracker Nuclio functions when restoring serialized tracking state. A remote user can supply crafted serialized state data to execute arbitrary code.

This affects deployments running tracker functions such as TransT and SiamMask, and may also affect custom tracker functions depending on how they handle state serialization.

Remediation

Install update from vendor's website.

SB2025012872 - Deserialization of Untrusted Data in Computer Vision Annotation Tool (CVAT)

Breakdown by Severity

Description

Remediation

References

Please verify you're human