CVE-2024-27763: XPixelGroup BasicSR Command Injection

March 12, 2025 (updated March 13, 2025)

XPixelGroup BasicSR through 1.4.2 might locally allow code execution in contrived situations where “scontrol show hostname” is executed in the presence of a crafted SLURM_NODELIST environment variable.

References

gist.github.com/aydinnyunus/40e1d8a3b529261ae654ff4891f1e192
github.com/XPixelGroup/BasicSR
github.com/XPixelGroup/BasicSR/blob/master/basicsr/utils/dist_util.py
github.com/advisories/GHSA-86w8-vhw6-q9qq
nvd.nist.gov/vuln/detail/CVE-2024-27763

Code Behaviors & Features

Detect and mitigate CVE-2024-27763 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →