CVE-2024-12216 HIGH

CVE-2024-12216: Arbitrary File Write via TarSlip in dmlc/gluon-cv

Vendor Dmlc
Product dmlc/gluon-cv
Weakness CWE-59
Published March 20, 2025
Last update October 15, 2025

CVSS base score

7.1/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality None
Integrity High

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

What the vulnerability does

01Description

A vulnerability in the `ImageClassificationDataset.from_csv()` API of the `dmlc/gluon-cv` repository, version 0.10.0, allows for arbitrary file write. The function downloads and extracts `tar.gz` files from URLs without proper sanitization, making it susceptible to a TarSlip vulnerability. Attackers can exploit this by crafting malicious tar files that, when extracted, can overwrite files on the victim's system via path traversal or faked symlinks.

Key dates

02Disclosure timeline

March 20, 2025 CVE published
October 15, 2025 Record updated