{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-28T07:16:26.690","vulnerabilities":[{"cve":{"id":"CVE-2025-23045","sourceIdentifier":"security-advisories@github.com","published":"2025-01-28T16:15:40.690","lastModified":"2025-09-16T17:32:18.157","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. An attacker with an account on an affected CVAT instance is able to run arbitrary code in the context of the Nuclio function container. This vulnerability affects CVAT deployments that run any of the serverless functions of type tracker from the CVAT Git repository, namely TransT and SiamMask. Deployments with custom functions of type tracker may also be affected, depending on how they handle state serialization. If a function uses an unsafe serialization library such as pickle or jsonpickle, it's likely to be vulnerable. Upgrade to CVAT 2.26.0 or later. If you are unable to upgrade, shut down any instances of the TransT or SiamMask functions you're running."},{"lang":"es","value":"Computer Vision Annotation Tool (CVAT) es una herramienta interactiva de anotación de imágenes y videos para visión artificial. Un atacante con una cuenta en una instancia de CVAT afectada puede ejecutar código arbitrario en el contexto del contenedor de funciones Nuclio. Esta vulnerabilidad afecta a las implementaciones de CVAT que ejecutan cualquiera de las funciones sin servidor de tipo tracker desde el repositorio Git de CVAT, a saber, TransT y SiamMask. Las implementaciones con funciones personalizadas de tipo tracker también pueden verse afectadas, según cómo gestionan la serialización de estados. Si una función usa una librería de serialización insegura como pickle o jsonpickle, es probable que sea vulnerable. Actualice a CVAT 2.26.0 o posterior. Si no puede actualizar, apague todas las instancias de las funciones TransT o SiamMask que esté ejecutando."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.7,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-502"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:cvat:computer_vision_annotation_tool:*:*:*:*:*:*:*:*","versionStartIncluding":"1.1.0","versionEndExcluding":"2.26.0","matchCriteriaId":"0A2CE6BD-7820-4EA4-B329-B27E7A2C05BF"}]}]}],"references":[{"url":"https://github.com/cvat-ai/cvat/commit/563e1dfde64b15fa042b23f9d09cd854b35f0366","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/cvat-ai/cvat/security/advisories/GHSA-wq36-mxf8-hv62","source":"security-advisories@github.com","tags":["Vendor Advisory"]}]}}]}