Platform
python
Component
label-studio-sdk
Fixed in
1.0.11
1.0.10
CVE-2025-25295 describes a path traversal vulnerability discovered in Label Studio SDK versions prior to 1.0.10. This flaw allows unauthorized access to files outside the intended directory structure, potentially exposing sensitive data. Users of Label Studio versions before 1.16.0 are impacted, and upgrading to Label Studio 1.16.0 or newer, which includes the fixed SDK version 1.0.10, is recommended to mitigate this risk.
The path traversal vulnerability in Label Studio SDK allows an attacker to manipulate file paths within the VOC, COCO, and YOLO export functionalities. By crafting malicious requests, an attacker can bypass intended access controls and read arbitrary files on the server hosting the SDK. This could lead to the exposure of configuration files, source code, or other sensitive data. The potential impact extends to any data processed or stored by Label Studio, depending on the server's file system permissions. While no active exploitation has been publicly reported, the ease of exploitation makes this a significant risk, particularly in environments where Label Studio is used to handle sensitive data.
This vulnerability was publicly disclosed on February 14, 2025. No known exploitation campaigns have been reported at the time of writing. The vulnerability is not currently listed on CISA KEV. A public proof-of-concept is likely to emerge given the relatively straightforward nature of path traversal vulnerabilities.
Exploit Status
EPSS
0.13% (33% percentile)
CISA SSVC
The primary mitigation for CVE-2025-25295 is to upgrade both Label Studio and the Label Studio SDK. Upgrade Label Studio to version 1.16.0 or later, which includes the patched SDK version 1.0.10. If upgrading Label Studio is not immediately feasible, ensure the underlying SDK version is upgraded to 1.0.10. As a temporary workaround, restrict file system access permissions for the Label Studio process to the minimum necessary directories. Implement input validation and sanitization on all user-supplied file paths within the export functionalities. Consider deploying a Web Application Firewall (WAF) with rules to detect and block path traversal attempts.
Actualice la biblioteca label-studio-sdk a la versión 1.0.10 o superior. Esto corrige la vulnerabilidad de path traversal. Si está utilizando Label Studio, actualice a la versión 1.16.0 o posterior, ya que las versiones anteriores especificaban versiones vulnerables del SDK como dependencias.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-25295 is a Path Traversal vulnerability in Label Studio SDK versions prior to 1.0.10, allowing unauthorized file access. It's rated HIGH severity (CVSS 7.5).
You are affected if you are using Label Studio SDK versions ≤1.0.8 or Label Studio versions prior to 1.16.0.
Upgrade Label Studio to version 1.16.0 or later, which includes the patched SDK version 1.0.10. Restrict file system access permissions as a temporary workaround.
No active exploitation has been publicly reported, but the ease of exploitation makes it a significant risk.
Refer to the Label Studio release notes and security advisories on their official website for the most up-to-date information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.