CVE CyberSecurity Database News

CVE-2025-23045 - How a Dangerous Serialization Bug in CVAT Puts Your Data and Servers at Risk

Poster -

CVE-2025-23045 is a critical vulnerability discovered in Computer Vision Annotation Tool (CVAT), a widely used web application for annotating images and videos in machine learning and computer vision projects.

If you’re running CVAT and letting users work with serverless tracker functions like TransT and SiamMask, you could be giving attackers a route to execute arbitrary code — using just a regular account! If you’re using custom tracking functions that rely on unsafe serialization libraries like pickle or jsonpickle, you’re potentially exposed as well.

*In this post, I’ll break down what’s going on, show the simple exploit, explain fixes, and point you to official resources.*

- Runs any tracker function from the CVAT Git repo, specifically

- TransT
- SiamMask
- OR, runs a custom tracker function that uses unsafe state serialization/deserialization, such as using pickle or jsonpickle to store Python object state across requests.

The vulnerability is present on a *default* install if you use those tracker functions.

The Core Issue: Unsafe Deserialization

Tracker functions in CVAT often *save their state* between requests, so they can be resumed. Some tracker functions use dangerous Python libraries (like pickle) to serialize and deserialize this state. pickle will execute arbitrary code when loading data (if someone crafts the data right).

This means: If an attacker can influence what’s stored in the tracker's state, they have a free pass to run code on the Nuclio container. Since Nuclio is used for running these serverless functions, the code executes with Nuclio’s privileges — inside your server.

> TL;DR: If the tracker loads state from something the user can control, and does so with pickle, it’s easy for an attacker to slip in malicious code — and CVAT will run it.

Example Exploit: Running Code via Malicious State

Here's a *simplified* Python snippet showing how this kind of exploit can work. (Do NOT run this for real, unless in a safe test environment!)

# Attacker crafts a payload that, when loaded, runs os.system('whoami')
import pickle
import os

class Exploit(object):
    def __reduce__(self):
        return (os.system, ('whoami',))

payload = pickle.dumps(Exploit())

# Later, the tracker function loads the state (insecurely)
# Imagine this happens inside a Nuclio function on your server!
pickle.loads(payload)

If the tracker function loads serialized state from attacker-supplied input, the os.system('whoami') call runs immediately. Replace 'whoami' with anything: rm -rf /, install malware, create a backdoor — game over.

In the Wild: CVAT Tracker Functions

The issue arises in CVAT’s built-in tracker functions such as TransT and SiamMask. They both deserialized state using pickle.

If you run those Nuclio functions, any authenticated user in CVAT can trigger this code path — and plant a payload.

Anyone running CVAT deployments with serverless tracker functions

- Deployments where users have upload or annotation rights (just needs a regular account; no admin needed)

What should you do?

1. Upgrade CVAT to at least version 2.26. — the vulnerability is patched there.
2. If you can’t upgrade: Immediately shut down the vulnerable Nuclio functions (TransT, SiamMask).
3. Audit your custom functions: If you wrote any custom tracker-type functions, stop using pickle/jsonpickle for state storage! Use safe serialization formats like plain JSON or json5.

> Check your Nuclio function list and relevant code for pickle.loads or jsonpickle.decode statements.

References

- Official CVAT GitHub Security Advisory

*(Replace XXXX with the correct advisory ID when published)*

- CVAT Release Notes
- Nuclio: Open-source serverless framework
- Python pickle module documentation (and security warning)

Conclusion

CVE-2025-23045 is a serious server-side code execution bug that lets any CVAT user (not just admins) break out of the annotation sandbox and run code in your tracker Nuclio function container. The root cause is unsafe deserialization using Python’s pickle or jsonpickle.

The fix is simple: update your CVAT to >=2.26., or stop those Nuclio functions.

Don’t delay! If you need more details, see the official advisory or read the release notes.

Timeline

Published on: 01/28/2025 16:15:40 UTC