CVE-2025-5173: HumanSignal label-studio-ml-backend PT File neural_nets.py load deserialization
Description
A vulnerability has been found in HumanSignal label-studio-ml-backend up to 9fb7f4aa186612806af2becfb621f6ed8d9fdbaf and classified as problematic. Affected by this vulnerability is the function load of the file label-studio-ml-backend/label_studio_ml/examples/yolo/utils/neural_nets.py of the component PT File Handler. The manipulation of the argument path leads to deserialization. An attack has to be approached locally. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. In HumanSignal label-studio-ml-backend bis 9fb7f4aa186612806af2becfb621f6ed8d9fdbaf wurde eine Schwachstelle gefunden. Sie wurde als problematisch eingestuft. Das betrifft die Funktion load der Datei label-studio-ml-backend/label_studio_ml/examples/yolo/utils/neural_nets.py der Komponente PT File Handler. Mittels Manipulieren des Arguments path mit unbekannten Daten kann eine deserialization-Schwachstelle ausgenutzt werden. Der Angriff muss lokal angegangen werden. Dieses Produkt setzt Rolling Releases ein. Aus diesem Grund sind Details zu betroffenen oder zu aktualisierende Versionen nicht verfügbar.
Classification
CVE ID: CVE-2025-5173
CVSS Base Severity: MEDIUM
CVSS Base Score: 5.3
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Affected Products
Vendor: HumanSignal
Product: label-studio-ml-backend
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.02% (probability of being exploited)
EPSS Percentile: 3.27% (scored less or equal to compared to others)
EPSS Date: 2025-06-18 (when was this score calculated)
References
https://nvd.nist.gov/vuln/detail/CVE-2025-5173https://vuldb.com/?id.310261
https://vuldb.com/?ctiid.310261
https://vuldb.com/?submit.578126
https://github.com/HumanSignal/label-studio-ml-backend/issues/765