CVE-2024-12215 Overview
CVE-2024-12215 is a remote code execution (RCE) vulnerability in kedro-org/kedro version 0.19.8. The pull_package() API function downloads and extracts micro packages from the Internet. During processing, the project_wheel_metadata() function executes the setup.py file contained within the tar archive. An attacker who convinces a user to pull a malicious package can execute arbitrary commands on the victim's machine. The flaw is classified under CWE-94: Improper Control of Generation of Code.
Critical Impact
Successful exploitation grants attackers arbitrary command execution in the context of the user running Kedro, compromising confidentiality, integrity, and availability.
Affected Products
- kedro-org/kedro version 0.19.8
- Python data pipeline projects using the pull_package() micro-packaging API
- Development and CI environments that resolve Kedro packages from untrusted sources
Discovery Timeline
- 2025-03-20 - CVE-2024-12215 published to the National Vulnerability Database (NVD)
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2024-12215
Vulnerability Analysis
Kedro is an open-source Python framework for building reproducible data science pipelines. The framework's micro-packaging feature lets users share and reuse pipeline components as distributable archives. The pull_package() function accepts a package URL, downloads the referenced archive, and extracts it locally for installation.
During the extraction and metadata resolution stage, Kedro calls project_wheel_metadata() to determine wheel metadata for the pulled package. This routine invokes the setup.py script contained inside the archive to compute build metadata. Because setup.py is arbitrary Python code, any content placed there by the archive author runs with the privileges of the Kedro process.
Root Cause
The root cause is unsafe code execution during untrusted package processing. Kedro treats remotely fetched archives as inputs to a build system that intentionally runs code, without sandboxing or requiring the package to be signed or verified. There is no allowlist, integrity check, or isolated execution environment protecting the host from a hostile setup.py.
Attack Vector
An attacker hosts a malicious tar archive on a reachable URL or compromises an existing package source. The attacker then persuades a developer or automation user to invoke pull_package() against that URL. Once the archive is fetched, project_wheel_metadata() executes the embedded setup.py, running attacker-controlled commands with the user's permissions. The vulnerability requires user interaction to initiate the pull but no authentication to the target system.
No verified proof-of-concept code is published in the referenced advisory. See the Huntr Bounty Listing for additional technical context.
Detection Methods for CVE-2024-12215
Indicators of Compromise
- Outbound network requests from Python processes to unexpected package-hosting domains preceding pull_package() execution
- Unexpected child processes spawned by python, kedro, or pip interpreters during package pulls
- Newly written or modified files inside project directories immediately after a kedro micropkg pull invocation
- Shell interpreters (sh, bash, cmd.exe, powershell.exe) launched by a Kedro process
Detection Strategies
- Inventory hosts running Kedro 0.19.8 and monitor invocations of pull_package() or the kedro micropkg pull CLI subcommand
- Alert when a Python process executes setup.py from a directory under /tmp, %TEMP%, or other transient extraction paths
- Correlate archive downloads with subsequent process creation events attributable to the same Python interpreter
Monitoring Recommendations
- Enable process lineage logging on developer workstations and CI runners that execute Kedro
- Forward Python and shell execution telemetry to a centralized data lake for retrospective hunting
- Track command-line arguments containing micropkg pull alongside network egress metadata
How to Mitigate CVE-2024-12215
Immediate Actions Required
- Restrict use of pull_package() to archives from trusted, internally controlled sources only
- Audit historical CI logs and shell histories for prior kedro micropkg pull invocations against untrusted URLs
- Isolate Kedro package-pull operations to ephemeral, non-privileged containers or virtual machines
Patch Information
At the time of NVD publication, no fixed version was recorded in the referenced advisory. Consult the Huntr Bounty Listing and the upstream kedro-org/kedro repository for the latest release information and remediation status.
Workarounds
- Disable or wrap pull_package() with organization-approved logic that validates package origin before invocation
- Require code review of any setup.py contained in third-party micro packages before pulling them on developer hosts
- Run Kedro workflows under a least-privilege service account with no access to secrets, source repositories, or production credentials
- Block outbound access from build agents to arbitrary Internet destinations, permitting only vetted package mirrors
# Configuration example: run Kedro package pulls inside a disposable container
docker run --rm --network=none \
-v "$PWD/vetted-archives:/pkgs:ro" \
-u 1000:1000 \
python:3.11-slim \
bash -c "pip install kedro==0.19.8 && kedro micropkg pull /pkgs/package.tar.gz"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

