Plattform
python
Komponente
label-studio-sdk
Behoben in
1.0.11
1.0.10
A path traversal vulnerability has been identified in Label Studio SDK versions prior to 1.0.10. This flaw allows unauthorized access to files outside the intended directory structure, potentially exposing sensitive data. Versions of Label Studio prior to 1.16.0 relied on vulnerable SDK versions, with the issue confirmed in Label Studio 1.13.2.dev0. Users are advised to upgrade to Label Studio 1.16.0 or later to mitigate this risk.
The path traversal vulnerability in Label Studio SDK allows an attacker to manipulate file paths within the VOC, COCO, and YOLO export functionalities. By crafting malicious requests, an attacker can bypass intended access controls and retrieve arbitrary files from the server's file system. This could lead to the exposure of sensitive configuration files, source code, or even user data stored on the system. The potential blast radius depends on the permissions of the process running the Label Studio SDK and the sensitivity of the files accessible from that location. Successful exploitation could compromise the confidentiality and integrity of the entire Label Studio deployment.
This vulnerability was publicly disclosed on 2025-02-14. No public proof-of-concept (PoC) code has been released at the time of writing, but the relatively straightforward nature of path traversal vulnerabilities suggests that a PoC could emerge. It is not currently listed on the CISA KEV catalog. The vulnerability's impact is amplified by its presence in Label Studio, a popular data labeling platform, potentially affecting a wide range of organizations.
Organizations using Label Studio for data annotation and labeling, particularly those processing sensitive data, are at risk. Shared hosting environments where Label Studio instances share the same file system are especially vulnerable, as a compromise of one instance could lead to access to data from other instances. Users relying on older Label Studio versions or those who have not applied security updates are also at increased risk.
• python / sdk: Check Label Studio SDK version using pip show label-studio-sdk.
• python / sdk: Monitor file system access logs for unusual activity from the Label Studio process, particularly attempts to access files outside the expected directories.
• generic web: Inspect Label Studio export endpoints for suspicious file path parameters using curl or wget.
• generic web: Review access and error logs for indications of path traversal attempts (e.g., requests containing ../ sequences).
disclosure
Exploit-Status
EPSS
0.13% (33% Perzentil)
CISA SSVC
The primary mitigation for CVE-2025-25295 is to upgrade both Label Studio and the Label Studio SDK to versions 1.16.0 or later, respectively. If an immediate upgrade is not feasible, consider implementing stricter file access controls on the server hosting Label Studio to limit the potential impact of a successful exploit. Web application firewalls (WAFs) configured to detect and block path traversal attempts can provide an additional layer of defense. Monitor Label Studio logs for unusual file access patterns that might indicate an ongoing attack.
Actualice la biblioteca label-studio-sdk a la versión 1.0.10 o superior. Esto corrige la vulnerabilidad de path traversal. Si está utilizando Label Studio, actualice a la versión 1.16.0 o posterior, ya que las versiones anteriores especificaban versiones vulnerables del SDK como dependencias.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-25295 is a Path Traversal vulnerability in Label Studio SDK versions prior to 1.0.10, allowing unauthorized file access. It's rated HIGH severity (CVSS 7.5).
You are affected if you are using Label Studio SDK versions ≤1.0.8 or Label Studio versions prior to 1.16.0.
Upgrade Label Studio to version 1.16.0 or later, which includes the patched SDK version 1.0.10. Restrict file system access permissions as a temporary workaround.
No active exploitation has been publicly reported, but the ease of exploitation makes it a significant risk.
Refer to the Label Studio release notes and security advisories on their official website for the most up-to-date information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.