CVE-2024-12216: GluonCV Arbitrary File Write via TarSlip

March 20, 2025 (updated March 21, 2025)

A vulnerability in the ImageClassificationDataset.from_csv() API of the dmlc/gluon-cv repository, version 0.10.0, allows for arbitrary file write. The function downloads and extracts tar.gz files from URLs without proper sanitization, making it susceptible to a TarSlip vulnerability. Attackers can exploit this by crafting malicious tar files that, when extracted, can overwrite files on the victim’s system via path traversal or faked symlinks.

References

github.com/advisories/GHSA-m724-hqmc-ggpx
github.com/dmlc/gluon-cv
github.com/dmlc/gluon-cv/blob/3862e2db33ab650eff7c7c5c5891e805207027b1/gluoncv/utils/filesystem.py
huntr.com/bounties/46081fdc-2951-4deb-a2c9-2627007bdce0
nvd.nist.gov/vuln/detail/CVE-2024-12216

Code Behaviors & Features

Detect and mitigate CVE-2024-12216 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →