Deserialization in Cvat-ai Cvat

CVE-2025-23045

Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. An attacker with an account on an affected CVAT instance is able to run arbitrary code in the context of the Nuclio function cont…

Vulnerability class: Insecure Deserialization

EPSS: 0.009 (76.1th percentile) — read the EPSS interpretation.

Affected products

Cvat-ai Cvat — versions >= 1.1.0, < 2.26.0

Weakness classification (CWE)

CWE-502 — Deserialization of Untrusted Data

References

https://github.com/cvat-ai/cvat/security/advisories/GHSA-wq36-mxf8-hv62 (x_refsource_CONFIRM)
https://github.com/cvat-ai/cvat/commit/563e1dfde64b15fa042b23f9d09cd854b35f0366 (x_refsource_MISC)