Scan free
HIGHCVE-2024-49048CVSS 8.1

CVE-2024-49048: RCE in torchgeo

Platform

python

Component

torchgeo

Fixed in

0.6.1

0.6.1

0.6.1

AI Confidence: highNVDEPSS 0.5%Reviewed: May 2026
View on NVD
Save

CVE-2024-49048 describes a Remote Code Execution (RCE) vulnerability within the torchgeo library, specifically affecting versions up to 0.6.0. This flaw allows an attacker to potentially execute arbitrary code on a system by crafting malicious datasets. A fix has been released in version 0.6.1, and users are strongly advised to upgrade to mitigate this risk.

Python

Detect this CVE in your project

Upload your requirements.txt file and we'll tell you instantly if you're affected.

Upload requirements.txtSupported formats: requirements.txt · Pipfile.lock

Impact and Attack Scenarios

The RCE vulnerability in torchgeo arises from insufficient validation of data within datasets. An attacker could craft a specially designed dataset that, when processed by torchgeo, triggers the execution of arbitrary code. This could lead to complete system compromise, including data theft, malware installation, and denial of service. The impact is particularly severe because torchgeo is often used in machine learning pipelines, potentially exposing sensitive data and infrastructure to malicious actors. The ability to execute code within the context of the torchgeo process grants a high degree of control over the affected system.

Exploitation Context

CVE-2024-49048 was published on 2024-11-12. Currently, there are no publicly available exploits. The EPSS score is pending evaluation. It is not listed on the CISA KEV catalog at the time of this writing. The vulnerability's reliance on crafted datasets suggests a potential for targeted attacks within machine learning workflows.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.50% (66% percentile)

CISA SSVC

Exploitationnone
Automatableno
Technical Impacttotal

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H8.1HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityHighConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
High — requires a race condition, non-default configuration, or specific circumstances. Harder to exploit reliably.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componenttorchgeo
Vendorosv
Affected rangeFixed in
1.0.0 – 0.6.10.6.1
0.40.6.1
0.6.1

Weakness Classification (CWE)

CWE-94

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated
Patched -32 days after disclosure

Mitigation and Workarounds

The primary mitigation for CVE-2024-49048 is to upgrade to torchgeo version 0.6.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing stricter input validation on datasets processed by torchgeo. While a direct WAF rule is unlikely to be effective, implementing network segmentation to limit the potential blast radius of a successful exploit is recommended. Monitor system logs for unusual process execution or network activity originating from torchgeo processes.

How to fix

Actualice la biblioteca TorchGeo a la versión 0.6.1 o superior. Esto solucionará la vulnerabilidad de ejecución remota de código. Puede actualizar usando `pip install torchgeo --upgrade`.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2024-49048 — RCE in torchgeo?

CVE-2024-49048 is a Remote Code Execution vulnerability affecting torchgeo versions up to 0.6.0. It allows an attacker to execute arbitrary code via crafted datasets, potentially leading to system compromise.

Am I affected by CVE-2024-49048 in torchgeo?

You are affected if you are using torchgeo version 0.6.0 or earlier. Check your installed version using pip list.

How do I fix CVE-2024-49048 in torchgeo?

Upgrade to torchgeo version 0.6.1 or later. If immediate upgrade is not possible, implement stricter input validation on datasets.

Is CVE-2024-49048 being actively exploited?

As of the current date, there are no confirmed reports of active exploitation, but the vulnerability's severity warrants immediate attention.

Where can I find the official torchgeo advisory for CVE-2024-49048?

Refer to the torchgeo project's GitHub repository and release notes for the official advisory and details on the fix: [https://github.com/NVlabs/torchgeo](https://github.com/NVlabs/torchgeo)

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs