CVE-2025-5173 MEDIUM

CVE-2025-5173: HumanSignal label-studio-ml-backend PT File neural_nets.py load deserialization

Vendor Humansignal
Product label-studio-ml-backend
Weakness CWE-502 · Unsafe deserialization
Published May 26, 2025
Last update May 28, 2025
View on NVD All CVEs

CVSS base score

4.8/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

01Description

A vulnerability has been found in HumanSignal label-studio-ml-backend up to 9fb7f4aa186612806af2becfb621f6ed8d9fdbaf and classified as problematic. Affected by this vulnerability is the function load of the file label-studio-ml-backend/label_studio_ml/examples/yolo/utils/neural_nets.py of the component PT File Handler. The manipulation of the argument path leads to deserialization. An attack has to be approached locally. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available.

Key dates

02Disclosure timeline

May 26, 2025 CVE published
May 28, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-2251 Org.jboss.eap:wildfly-ejb3: improper deserialization in jboss marshalling allows remote code execution CVE-2025-69301 WordPress PhotoMe theme <= 5.6.11 - PHP Object Injection vulnerability CVE-2025-58636 WordPress WP Gravity Forms Keap/Infusionsoft Plugin <= 1.2.3 - Deserialization of untrusted data Vulnerability CVE-2025-60174 WordPress WP Gravity Forms Constant Contact plugin plugin <= 1.1.2 - Deserialization of untrusted data vulnerability CVE-2025-43849 GHSL-2025-019_Retrieval-based-Voice-Conversion-WebUI