CVE-2024-9701: Remote Code Execution in kedro-org/kedro

9.8 CVSS

Description

A Remote Code Execution (RCE) vulnerability has been identified in the Kedro ShelveStore class (version 0.19.8). This vulnerability allows an attacker to execute arbitrary Python code via deserialization of malicious payloads, potentially leading to a full system compromise. The ShelveStore class uses Python's shelve module to manage session data, which relies on pickle for serialization. Crafting a malicious payload and storing it in the shelve file can lead to RCE when the payload is deserialized.

Classification

CVE ID: CVE-2024-9701

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.8

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem Types

CWE-502 Deserialization of Untrusted Data

Affected Products

Vendor: kedro-org

Product: kedro-org/kedro

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.29% (probability of being exploited)

EPSS Percentile: 51.94% (scored less or equal to compared to others)

EPSS Date: 2025-04-18 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2024-9701
https://huntr.com/bounties/96c77fef-93b2-4d4d-8cbe-57a718d8eea5
https://github.com/kedro-org/kedro/commit/d79fa51de55ac0ccb58cce1a482df1b445f0fe7c

Timeline

2025-03-20 11:40:50 UTC
CVE

Remote Code Execution in kedro-org/kedro