CVE-2024-9701 Overview
A Remote Code Execution (RCE) vulnerability has been identified in the Kedro ShelveStore class (version 0.19.8). This vulnerability allows an attacker to execute arbitrary Python code via deserialization of malicious payloads, potentially leading to a full system compromise. The ShelveStore class uses Python's shelve module to manage session data, which relies on pickle for serialization. Crafting a malicious payload and storing it in the shelve file can lead to RCE when the payload is deserialized.
Critical Impact
Attackers can achieve complete system compromise through arbitrary Python code execution by exploiting insecure deserialization in the Kedro session management component.
Affected Products
- Kedro version 0.19.8
- Kedro versions using ShelveStore class for session management
- Applications implementing kedro.framework.session.shelvestore.ShelveStore
Discovery Timeline
- 2025-03-20 - CVE CVE-2024-9701 published to NVD
- 2025-03-20 - Last updated in NVD database
Technical Details for CVE-2024-9701
Vulnerability Analysis
This vulnerability is classified as CWE-502 (Deserialization of Untrusted Data). The core issue stems from Kedro's ShelveStore class using Python's shelve module for persisting session data. The shelve module internally utilizes Python's pickle module for object serialization and deserialization, which is inherently unsafe when handling untrusted data.
When a user or attacker can influence the contents of the shelve file, they can craft malicious serialized objects that execute arbitrary code upon deserialization. This is particularly dangerous in scenarios where session data may be accessible through shared storage, application misconfigurations, or secondary vulnerabilities that allow file manipulation.
The vulnerability requires network access with no authentication or user interaction needed for exploitation, making it highly dangerous in exposed environments. Successful exploitation can result in complete compromise of confidentiality, integrity, and availability of the affected system.
Root Cause
The root cause of this vulnerability lies in the unsafe use of Python's pickle module through the shelve interface. The ShelveStore class was designed to persist Kedro session data to disk but did not account for the well-documented security risks of deserializing untrusted pickle data.
The vulnerable code path occurs in the read() method which opens the shelve file with shelve.open() (noted as # noqa: S301 indicating the security concern was known but suppressed). When this method deserializes data from disk, any malicious pickle payload stored in the file will be executed.
Attack Vector
The attack vector is network-based and exploits the insecure deserialization mechanism in the ShelveStore class. An attacker who can write to the shelve file location (through misconfigured permissions, directory traversal, or other vulnerabilities) can plant a malicious serialized payload. When Kedro subsequently reads session data, the malicious payload executes arbitrary Python code with the privileges of the Kedro process.
The attack requires:
- Ability to write to the shelve file location used by ShelveStore
- Kedro application to subsequently read the session data via the read() method
- The malicious pickle payload to be crafted for the target Python environment
The following code shows the vulnerable ShelveStore implementation that was removed in the security patch:
class ShelveStore(BaseSessionStore):
"""Stores the session data on disk using `shelve` package.
This is an example of how to persist data on disk."""
_lock = Lock()
@property
def _location(self) -> Path:
return Path(self._path).expanduser().resolve() / self._session_id / "store"
def read(self) -> dict[str, Any]:
"""Read the data from disk using `shelve` package."""
data: dict[str, Any] = {}
try:
with shelve.open(str(self._location), flag="r") as _sh: # noqa: S301
Source: GitHub Commit
Detection Methods for CVE-2024-9701
Indicators of Compromise
- Unexpected or modified shelve files (.db, .dir, .bak extensions) in Kedro session storage directories
- Unusual Python process execution originating from Kedro application contexts
- Presence of pickled objects containing unexpected class types or module references in session files
- Anomalous network connections or child processes spawned by the Kedro application
Detection Strategies
- Monitor file system activity in Kedro session storage directories for unauthorized write operations
- Implement application-level logging to track session store read/write operations
- Deploy endpoint detection solutions capable of identifying pickle deserialization attacks
- Use integrity monitoring on shelve files to detect unauthorized modifications
Monitoring Recommendations
- Enable verbose logging in Kedro applications to capture session management activities
- Implement file integrity monitoring (FIM) on directories where ShelveStore persists data
- Configure security tools to alert on suspicious Python code execution patterns
- Monitor for unexpected imports of dangerous modules (os, subprocess, socket) during deserialization
How to Mitigate CVE-2024-9701
Immediate Actions Required
- Upgrade to a patched version of Kedro that removes the vulnerable ShelveStore class
- Migrate existing applications to use alternative session storage mechanisms
- Restrict file system permissions on any existing shelve storage directories
- Audit any existing shelve files for potential malicious payloads before processing
Patch Information
The Kedro maintainers addressed this vulnerability by completely removing the ShelveStore class from the codebase. The security patch is available in commit d79fa51de55ac0ccb58cce1a482df1b445f0fe7c. Organizations using the ShelveStore class should upgrade to a version that includes this fix and migrate to a secure session storage alternative.
For additional details, see the GitHub Commit Overview and the Huntr Bounty Listing.
Workarounds
- Implement custom session storage using secure serialization formats such as JSON instead of pickle
- Configure strict file system permissions to prevent unauthorized access to session data directories
- Deploy application sandboxing to limit the impact of potential code execution
- Use signed serialized data with HMAC verification to detect tampering before deserialization
# Example: Restrict permissions on Kedro session storage directory
chmod 700 ~/.kedro/sessions/
chown $(whoami):$(whoami) ~/.kedro/sessions/
# Verify no unexpected shelve files exist
find ~/.kedro -name "*.db" -o -name "*.dir" -o -name "*.bak" 2>/dev/null
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
