CVE-2025-5173
MEDIUMHumanSignal label-studio-ml-backend - Deserialization of Untrusted Data in PT File Handler
Title source: llmDescription
A vulnerability has been found in HumanSignal label-studio-ml-backend up to 9fb7f4aa186612806af2becfb621f6ed8d9fdbaf and classified as problematic. Affected by this vulnerability is the function load of the file label-studio-ml-backend/label_studio_ml/examples/yolo/utils/neural_nets.py of the component PT File Handler. The manipulation of the argument path leads to deserialization. An attack has to be approached locally. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available.
References (4)
Core 4
Core References
Third Party Advisory, VDB Entry vdb-entry
technical-description
https://vuldb.com/?id.310261
Permissions Required, VDB Entry signature
permissions-required
https://vuldb.com/?ctiid.310261
Third Party Advisory, VDB Entry third-party-advisory
https://vuldb.com/?submit.578126
Issue Tracking, Vendor Advisory issue-tracking
https://github.com/HumanSignal/label-studio-ml-backend/issues/765
Scores
CVSS v3
5.3
EPSS
0.0010
EPSS Percentile
27.7%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-502
CWE-20
Status
published
Products (2)
humansignal/label_studio_ml_backend
< 2024-09-30
pypi/label-studio-ml
0PyPI
Published
May 26, 2025
Tracked Since
Feb 18, 2026