CVE-2025-49135

CVAT is an open source interactive video and image annotation tool for computer vision. Versions 2.2.0 through 2.39.0 have no validation during the import process of a project or task backup to check that the filename specified in the query parameter refers to a TUS-uploaded file belonging to the same user. As a result, if an attacker with a CVAT account and a `user` role knows the filenames of other users' uploads, they could potentially access and steal data by creating projects or tasks using those files. This issue does not affect annotation or dataset TUS uploads, since in this case object-specific temporary directories are used. Users should upgrade to CVAT 2.40.0 or a later version to receive a patch. No known workarounds are available.

CVSS

No CVSS.

References

Link	Resource
https://github.com/cvat-ai/cvat/commit/dbafd9c0287489bea00e1db626f64b107f90bfc9
https://github.com/cvat-ai/cvat/security/advisories/GHSA-frpr-5w6q-hh4f

Configurations

No configuration.

History

26 Jun 2025, 18:57

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-25 15:15

Updated : 2025-06-26 18:57

NVD link : CVE-2025-49135

Mitre link : CVE-2025-49135

CVE.ORG link : CVE-2025-49135

JSON object : View

Products Affected

No product.

CWE

CWE-639

Authorization Bypass Through User-Controlled Key

{"id": "CVE-2025-49135", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-06-25T15:15:24.990", "references": [{"url": "https://github.com/cvat-ai/cvat/commit/dbafd9c0287489bea00e1db626f64b107f90bfc9", "source": "security-advisories@github.com"}, {"url": "https://github.com/cvat-ai/cvat/security/advisories/GHSA-frpr-5w6q-hh4f", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-639"}]}], "descriptions": [{"lang": "en", "value": "CVAT is an open source interactive video and image annotation tool for computer vision. Versions 2.2.0 through 2.39.0 have no validation during the import process of a project or task backup to check that the filename specified in the query parameter refers to a TUS-uploaded file belonging to the same user. As a result, if an attacker with a CVAT account and a `user` role knows the filenames of other users' uploads, they could potentially access and steal data by creating projects or tasks using those files. This issue does not affect annotation or dataset TUS uploads, since in this case object-specific temporary directories are used. Users should upgrade to CVAT 2.40.0 or a later version to receive a patch. No known workarounds are available."}, {"lang": "es", "value": "CVAT es una herramienta interactiva de c\u00f3digo abierto para la anotaci\u00f3n de im\u00e1genes y videos para visi\u00f3n artificial. Las versiones 2.2.0 a 2.39.0 no incluyen validaci\u00f3n durante la importaci\u00f3n de copias de seguridad de proyectos o tareas para verificar que el nombre de archivo especificado en el par\u00e1metro de consulta se refiera a un archivo subido a TUS que pertenezca al mismo usuario. Por lo tanto, si un atacante con una cuenta CVAT y rol de usuario conoce los nombres de archivo de las cargas de otros usuarios, podr\u00eda acceder y robar datos creando proyectos o tareas con esos archivos. Este problema no afecta las cargas de TUS de anotaciones ni de conjuntos de datos, ya que en este caso se utilizan directorios temporales espec\u00edficos del objeto. Los usuarios deben actualizar a CVAT 2.40.0 o una versi\u00f3n posterior para recibir una actualizaci\u00f3n. No se conocen soluciones alternativas."}], "lastModified": "2025-06-26T18:57:43.670", "sourceIdentifier": "security-advisories@github.com"}