CVE-2024-9701

CRITICAL

Pypi Kedro < 0.19.9 - Insecure Deserialization

Title source: rule

Description

A Remote Code Execution (RCE) vulnerability has been identified in the Kedro ShelveStore class (version 0.19.8). This vulnerability allows an attacker to execute arbitrary Python code via deserialization of malicious payloads, potentially leading to a full system compromise. The ShelveStore class uses Python's shelve module to manage session data, which relies on pickle for serialization. Crafting a malicious payload and storing it in the shelve file can lead to RCE when the payload is deserialized.

References (2)

Scores

CVSS v3 9.8
EPSS 0.0119
EPSS Percentile 78.6%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE
CWE-502
Status draft

Affected Products (1)

pypi/kedro < 0.19.9PyPI

Timeline

Published Mar 20, 2025
Tracked Since Feb 18, 2026