CVE-2025-23045
📋 TL;DR
This vulnerability allows authenticated attackers to execute arbitrary code within CVAT's Nuclio function containers by exploiting unsafe serialization in tracker functions. It affects CVAT deployments running TransT or SiamMask serverless functions, or custom tracker functions using vulnerable serialization libraries like pickle or jsonpickle. Organizations using CVAT for computer vision annotation with these functions are at risk.
💻 Affected Systems
- Computer Vision Annotation Tool (CVAT)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full compromise of the CVAT instance, allowing attackers to execute arbitrary code, access sensitive annotation data, pivot to other systems, and potentially compromise the underlying infrastructure.
Likely Case
Authenticated attackers gaining code execution within function containers, potentially accessing and modifying annotation data, disrupting annotation workflows, and escalating privileges within the CVAT environment.
If Mitigated
Limited impact with proper network segmentation, minimal privileges, and monitoring, though authenticated users could still disrupt specific tracker functions.
🎯 Exploit Status
Exploitation requires an authenticated account on the CVAT instance and knowledge of vulnerable tracker functions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: CVAT 2.26.0
Vendor Advisory: https://github.com/cvat-ai/cvat/security/advisories/GHSA-wq36-mxf8-hv62
Restart Required: Yes
Instructions:
1. Backup your CVAT data and configuration. 2. Upgrade to CVAT version 2.26.0 or later using your deployment method (Docker, Kubernetes, etc.). 3. Restart all CVAT services. 4. Verify tracker functions are properly updated.
🔧 Temporary Workarounds
Disable Vulnerable Tracker Functions
allShut down TransT and SiamMask tracker functions to prevent exploitation while awaiting upgrade.
# Stop the specific function containers
# For Docker: docker stop [container_name]
# For Kubernetes: kubectl scale deployment [deployment_name] --replicas=0
🧯 If You Can't Patch
- Immediately shut down all instances of TransT and SiamMask tracker functions
- Review and secure custom tracker functions to ensure they don't use unsafe serialization libraries like pickle or jsonpickle
🔍 How to Verify
Check if Vulnerable:
Check if CVAT version is below 2.26.0 and verify if TransT, SiamMask, or custom tracker functions using pickle/jsonpickle are running.Check Version:
docker exec cvat_server python -c "import cvat; print(cvat.__version__)" or check CVAT web interface admin panelVerify Fix Applied:
Confirm CVAT version is 2.26.0 or higher and verify tracker functions are properly updated and functioning.📡 Detection & Monitoring
Log Indicators:
- Unusual activity in tracker function logs
- Unexpected code execution patterns in Nuclio containers
- Authentication logs showing suspicious user access to tracker functions
Network Indicators:
- Unusual outbound connections from CVAT containers
- Suspicious traffic to/from tracker function endpoints
SIEM Query:
source="cvat" AND ("TransT" OR "SiamMask" OR "tracker") AND ("error" OR "exception" OR "unexpected")