Path Traversal in Cvat-ai Cvat

CVE-2025-64485

CVAT is an open source interactive video and image annotation tool for computer vision. In versions 2.4.0 through 2.48.1, a malicious CVAT user with at least the User global role may create files in the root of the mounted file share, or o…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.001 (28.9th percentile) — read the EPSS interpretation.

Affected products

Cvat-ai Cvat — versions <= 2.4.0, < 2.49.0

Weakness classification (CWE)

CWE-22 — Path Traversal

References

https://github.com/cvat-ai/cvat/security/advisories/GHSA-x396-w86c-gf6w (x_refsource_CONFIRM)
https://github.com/cvat-ai/cvat/commit/cace877189528a7ed4a224476f4bc0bd5a21d40c (x_refsource_MISC)