GHSA-55g9-6c2x-gf8q

Source

https://github.com/advisories/GHSA-55g9-6c2x-gf8q

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-55g9-6c2x-gf8q/GHSA-55g9-6c2x-gf8q.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-55g9-6c2x-gf8q

Aliases

CVE-2025-5173

Published

2025-05-26T09:30:44Z

Modified

2025-06-06T16:13:22.928700Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
4.8 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N CVSS Calculator

Summary

HumanSignal label-studio-ml-backend Deserialization of Untrusted Data vulnerability

Details

A vulnerability has been found in HumanSignal label-studio-ml-backend up to 9fb7f4aa186612806af2becfb621f6ed8d9fdbaf and classified as problematic. Affected by this vulnerability is the function load of the file label-studio-ml-backend/labelstudioml/examples/yolo/utils/neural_nets.py of the component PT File Handler. The manipulation of the argument path leads to deserialization. An attack has to be approached locally. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available.

Database specific

{
    "nvd_published_at": "2025-05-26T07:15:26Z",
    "cwe_ids": [
        "CWE-20",
        "CWE-502"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-06T15:37:46Z"
}

References

Affected packages

PyPI / label-studio-ml

Package

Name: label-studio-ml; View open source insights on deps.dev
Purl: pkg:pypi/label-studio-ml

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

1.0.9

Affected versions

1.*

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7rc0

1.0.7rc1

1.0.7

1.0.8rc0

1.0.8rc1

1.0.8rc2

1.0.8rc3

1.0.8

1.0.9rc0

1.0.9rc1

1.0.9