CVE-2024-49048: TorchGeo Remote Code Execution Vulnerability
TorchGeo 0.4–0.6.0 used an eval statement in its model weight API that could allow an unauthenticated, remote attacker to execute arbitrary commands. All platforms that expose torchgeo.models.get_weight() or torchgeo.trainers as an external API could be affected.
References
- github.com/advisories/GHSA-ghq9-vc6f-8qjf
- github.com/microsoft/torchgeo/releases/tag/v0.6.1
- github.com/pypa/advisory-database/tree/main/vulns/torchgeo/PYSEC-2024-204.yaml
- github.com/torchgeo/torchgeo
- github.com/torchgeo/torchgeo/commit/1a980788cb7089a1115f3b786c7daa9dd47d7d7a
- github.com/torchgeo/torchgeo/pull/2323
- github.com/torchgeo/torchgeo/pull/917
- github.com/torchgeo/torchgeo/security/advisories/GHSA-ghq9-vc6f-8qjf
- msrc.microsoft.com/update-guide/vulnerability/CVE-2024-49048
- nvd.nist.gov/vuln/detail/CVE-2024-49048
Code Behaviors & Features
Detect and mitigate CVE-2024-49048 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →