Main Vulnerability Database Vulnerabilities #VU132049

Deserialization of Untrusted Data in Computer Vision Annotation Tool (CVAT) - CVE-2025-23045

Published: January 28, 2025 / Updated: May 21, 2026

Vulnerability identifier: #VU132049

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2025-23045

CWE-ID: CWE-502

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Intel

Affected software:
Computer Vision Annotation Tool (CVAT)

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to deserialization of untrusted data in tracker Nuclio functions when restoring serialized tracking state. A remote user can supply crafted serialized state data to execute arbitrary code.

This affects deployments running tracker functions such as TransT and SiamMask, and may also affect custom tracker functions depending on how they handle state serialization.

How to mitigate CVE-2025-23045

Install security update from vendor's website.

Deserialization of Untrusted Data in Computer Vision Annotation Tool (CVAT) - CVE-2025-23045

Detailed vulnerability description

How to mitigate CVE-2025-23045

Sources

Please verify you're human