CVE-2022-34668

CRITICAL

NVFLARE < 2.1.4 - Remote Code Execution via Pickle Deserialization

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-34668. PoCs published by Elias Hohl.

AI-analyzed exploit summary This exploit demonstrates a remote code execution vulnerability in NVFLARE < 2.1.4 due to unsafe deserialization using Python's pickle module. The PoC modifies the client-side code to send a malicious payload to the server, resulting in arbitrary command execution.

Description

NVFLARE, versions prior to 2.1.4, contains a vulnerability that deserialization of Untrusted Data due to Pickle usage may allow an unprivileged network attacker to cause Remote Code Execution, Denial Of Service, and Impact to both Confidentiality and Integrity.

Exploits (1)

exploitdb WORKING POC
by Elias Hohl · textremotepython
https://www.exploit-db.com/exploits/51051

This exploit demonstrates a remote code execution vulnerability in NVFLARE < 2.1.4 due to unsafe deserialization using Python's pickle module. The PoC modifies the client-side code to send a malicious payload to the server, resulting in arbitrary command execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: NVIDIA NVFLARE < 2.1.4
No auth needed
Prerequisites: Python 3.8 environment · NVFLARE installation · Network access to the target server
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 9.8
EPSS 0.0823
EPSS Percentile 94.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-502
Status published
Products (2)
nvidia/nvflare < 2.1.4
pypi/nvflare 0 - 2.1.4PyPI
Published Aug 29, 2022
Tracked Since Feb 18, 2026