CVE-2024-12044

CRITICAL

open-mmlab/mmdetection <3.3.0 - RCE

Title source: llm

Description

A remote code execution vulnerability exists in open-mmlab/mmdetection version v3.3.0. The vulnerability is due to the use of the `pickle.loads()` function in the `all_reduce_dict()` distributed training API without proper sanitization. This allows an attacker to execute arbitrary code by broadcasting a malicious payload to the distributed training network.

References (1)

[Exploit, Third Party Advisory] https://huntr.com/bounties/f7e4fc32-e167-49fb-9fc7-f092b9c27e8a

Scores

CVSS v3 9.8

EPSS 0.0158

EPSS Percentile 81.4%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status draft

Timeline

Published Mar 20, 2025

Tracked Since Feb 18, 2026