CVE-2024-27320: Refuel Autolab Eval Injection vulnerability

September 12, 2024 (updated September 23, 2024)

An arbitrary code execution vulnerability exists in versions 0.0.8 and newer of the Refuel Autolabel library because of the way its classification tasks handle provided CSV files. If a victim user creates a classification task using a maliciously crafted CSV file containing Python code, the code will be passed to an eval function which executes it.

References

github.com/advisories/GHSA-g2m8-f3x2-qprw
github.com/refuel-ai/autolabel
github.com/refuel-ai/autolabel/blob/v0.0.16/src/autolabel/dataset/validation.py
hiddenlayer.com/sai-security-advisory/2024-09-autolabel
nvd.nist.gov/vuln/detail/CVE-2024-27320

Code Behaviors & Features

Detect and mitigate CVE-2024-27320 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →