logo

Database

Server side template injection In torchgeo

Description

TorchGeo Remote Code Execution Vulnerability

Impact

TorchGeo 0.4–0.6.0 used an eval statement in its model weight API that could allow an unauthenticated, remote attacker to execute arbitrary commands. All platforms that expose torchgeo.models.get_weight() or torchgeo.trainers as an external API could be affected.

Patches

The eval statement was replaced with a fixed enum lookup, preventing arbitrary code injection. All users are encouraged to upgrade to TorchGeo 0.6.1 or newer.

Workarounds

In unpatched versions, input validation and sanitization can be used to avoid this vulnerability.

References

Bug history

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2024-490482. NVD-2024-490483. OSV-2024-490484. GHSA-ghq9-vc6f-8qjf5. GCVE-2024-49048

References

1. https://github.com/torchgeo/torchgeo/security/advisories/GHSA-ghq9-vc6f-8qjf2. https://github.com/torchgeo/torchgeo/pull/23233. https://github.com/torchgeo/torchgeo/pull/9174. https://github.com/torchgeo/torchgeo/commit/1a980788cb7089a1115f3b786c7daa9dd47d7d7a5. https://github.com/microsoft/torchgeo/releases/tag/v0.6.16. https://github.com/pypa/advisory-database/tree/main/vulns/torchgeo/PYSEC-2024-204.yaml7. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-49048

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.