CVE-2022-45908
CRITICALPaddlePaddle < 2.4 - Remote Code Execution via get_window winstr Parameter
Title source: llmDescription
In PaddlePaddle before 2.4, paddle.audio.functional.get_window is vulnerable to code injection because it calls eval on a user-supplied winstr. This may lead to arbitrary code execution.
References (2)
Core 2
Core References
Exploit, Patch, Third Party Advisory
https://github.com/PaddlePaddle/Paddle/blob/develop/security/advisory/pdsa-2022-002.md
Patch, Third Party Advisory
https://github.com/PaddlePaddle/Paddle/commit/26c419ca386aeae3c461faf2b828d00b48e908eb
Scores
CVSS v3
9.8
EPSS
0.0128
EPSS Percentile
66.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-94
Status
published
Products (2)
paddlepaddle/paddlepaddle
< 2.4
pypi/paddlepaddle
0 - 2.4PyPI
Published
Nov 26, 2022
Tracked Since
Feb 18, 2026