CVE-2025-2129

March 9, 2025, 8:15 p.m.

5.6
Medium

Description

A vulnerability was found in Mage AI 0.9.75. It has been classified as problematic. This affects an unknown part. The manipulation leads to insecure default initialization of resource. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. After 7 months of repeated follow-ups by the researcher, Mage AI has decided to not accept this issue as a valid security vulnerability and has confirmed that they will not be addressing it.

Product(s) Impacted

Product Versions
Mage AI
  • 0.9.75

Weaknesses

CWE-1188
Initialization of a Resource with an Insecure Default
The product initializes or sets a resource with a default that is intended to be changed by the administrator, but the default is not secure.

References

https://github.com/zn9988/publications/blob/main/2.Mage-AI%20-%20Insecure%20Default%20Authentication%20Setup%20Leading%20to%20Zero-Click%20RCE/README.md
https://vuldb.com/?ctiid.299049
https://vuldb.com/?id.299049
https://vuldb.com/?submit.510690

Tags

CWE-1188
cna@vuldb.com
2025-03-09
CVE-2025-2129

CVSS Score

5.6 / 10

CVSS Data

  • Attack Vector: NETWORK
  • Attack Complexity: HIGH
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: LOW
  • Integrity Impact: LOW
  • Availability Impact: LOW
    • View Vector String

    CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Date

  • Published: March 9, 2025, 8:15 p.m.
  • Last Modified: March 9, 2025, 8:15 p.m.

Status : Undergoing Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

cna@vuldb.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.