CVE-2022-34668

CRITICAL

Nvidia Nvflare < 2.1.4 - Insecure Deserialization

Title source: rule

Description

NVFLARE, versions prior to 2.1.4, contains a vulnerability that deserialization of Untrusted Data due to Pickle usage may allow an unprivileged network attacker to cause Remote Code Execution, Denial Of Service, and Impact to both Confidentiality and Integrity.

Exploits (1)

exploitdb WORKING POC

by Elias Hohl · textremotepython

https://www.exploit-db.com/exploits/51051

View Code ZIP pw:eip

References (2)

[Third Party Advisory] https://github.com/NVIDIA/NVFlare/security/advisories/GHSA-6qv6-q77g-7qm6

[Exploit, Third Party Advisory] http://packetstormsecurity.com/files/171483/NVFLARE-Unsafe-Deserialization.html

Scores

CVSS v3 9.8

EPSS 0.2245

EPSS Percentile 95.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-502

Status published

Products (2)

nvidia/nvflare < 2.1.4

pypi/nvflare 0 - 2.1.4PyPI

Published Aug 29, 2022

Tracked Since Feb 18, 2026