CVE-2024-10190 – horovod

Package

Manager: pip
Name: horovod
Vulnerable Version: >=0 <=0.28.1

Severity

Level: Critical

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00447 pctl0.62633

Details

Horovod Vulnerable to Command Injection Horovod versions up to and including v0.28.1 are vulnerable to unauthenticated remote code execution. The vulnerability is due to improper handling of base64-encoded data in the `ElasticRendezvousHandler`, a subclass of `KVStoreHandler`. Specifically, the `_put_value` method in `ElasticRendezvousHandler` calls `codec.loads_base64(value)`, which eventually invokes `cloudpickle.loads(decoded)`. This allows an attacker to send a malicious pickle object via a PUT request, leading to arbitrary code execution on the server.

Metadata

Created: 2025-03-20T12:32:38Z
Modified: 2025-03-20T18:53:09Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-mrhh-3ggq-23p2/GHSA-mrhh-3ggq-23p2.json
CWE IDs: ["CWE-77"]
Alternative ID: GHSA-mrhh-3ggq-23p2
Finding: F422
Auto approve: 1