SecuriTricks - CVE-2025-48381

Description

Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. In versions starting from 2.4.0 to before 2.38.0, an authenticated CVAT user may be able to retrieve the IDs and names of all tasks, projects, labels, and the IDs of all jobs and quality reports on the CVAT instance. In addition, if the instance contains many resources of a particular type, retrieving this information may tie up system resources, denying access to legitimate users. This issue has been patched in version 2.38.0.

Product(s) Impacted

Vendor	Product	Versions
Cvat	Cvat	2.4.0-2.37.9

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-201

Insertion of Sensitive Information Into Sent Data

The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	cvat	cvat	2.4.0-2.37.9	/	/	/	/	/	/	/

References

https://github.com/cvat-ai/cvat/commit/7136c99fb2c3a5cb2d8c3ca54b4201b9fa6aab5a

https://github.com/cvat-ai/cvat/security/advisories/GHSA-7484-2gfm-852p

CVSS Score

5.3 / 10

CVSS Data - 4.0

Attack Vector: NETWORK
Attack Complexity: LOW
Attack Requirements: NONE
Privileges Required: LOW
User Interaction: NONE
Scope:
Confidentiality Impact: LOW
Integrity Impact: NONE
Availability Impact: LOW
Exploit Maturity: NOT_DEFINED

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

View Vector String

Timeline

Published: May 30, 2025, 4:15 a.m.
Last Modified: May 30, 2025, 4:31 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

CVE-2025-48381