CVE-2022-34668

CRITICAL

Nvidia Nvflare < 2.1.4 - Insecure Deserialization

Title source: rule

Description

NVFLARE, versions prior to 2.1.4, contains a vulnerability that deserialization of Untrusted Data due to Pickle usage may allow an unprivileged network attacker to cause Remote Code Execution, Denial Of Service, and Impact to both Confidentiality and Integrity.

Exploits (1)

exploitdb WORKING POC

by Elias Hohl · textremotepython

https://www.exploit-db.com/exploits/51051

View Code ZIP pw:eip

References (2)

[Third Party Advisory] https://github.com/NVIDIA/NVFlare/security/advisories/GHSA-6qv6-q77g-7qm6

[Exploit, Third Party Advisory] http://packetstormsecurity.com/files/171483/NVFLARE-Unsafe-Deserialization.html

Scores

CVSS v3 9.8

EPSS 0.2756

EPSS Percentile 96.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status published

Affected Products (2)

nvidia/nvflare < 2.1.4

pypi/nvflare < 2.1.4PyPI

Timeline

Published Aug 29, 2022

Tracked Since Feb 18, 2026