CVE-2025-23045 Overview
Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. A critical insecure deserialization vulnerability exists in CVAT deployments that run serverless tracker functions, allowing authenticated attackers to execute arbitrary code within the Nuclio function container context.
Critical Impact
Authenticated attackers can achieve remote code execution by exploiting unsafe serialization handling in tracker functions, potentially compromising the entire CVAT deployment and underlying infrastructure.
Affected Products
- CVAT Computer Vision Annotation Tool versions prior to 2.26.0
- CVAT deployments running TransT tracker function
- CVAT deployments running SiamMask tracker function
- Custom tracker functions using unsafe serialization libraries (pickle, jsonpickle)
Discovery Timeline
- 2025-01-28 - CVE CVE-2025-23045 published to NVD
- 2025-09-16 - Last updated in NVD database
Technical Details for CVE-2025-23045
Vulnerability Analysis
This vulnerability is classified as CWE-502 (Deserialization of Untrusted Data). The flaw exists in how CVAT's serverless tracker functions handle state serialization. When tracker functions like TransT and SiamMask process state data, they utilize unsafe serialization libraries such as pickle or jsonpickle that can execute arbitrary code during deserialization.
An attacker with a valid account on the affected CVAT instance can craft malicious serialized payloads that, when processed by the tracker functions, result in arbitrary code execution within the Nuclio function container. This network-accessible vulnerability requires low privileges and no user interaction to exploit.
Root Cause
The root cause lies in the use of inherently unsafe serialization mechanisms for handling tracker state data. Libraries like pickle and jsonpickle are known to be vulnerable to object injection attacks because they can instantiate arbitrary Python objects during deserialization, including objects that execute code upon creation.
The fix implemented in the security patch introduces Django's TimestampSigner for cryptographic signing and validation of serialized data, preventing manipulation of state payloads.
Attack Vector
The attack is network-based and can be executed by any authenticated user on the CVAT platform. The attacker crafts a malicious serialized payload containing code execution primitives and submits it to a tracker function endpoint. When the function deserializes the payload to restore state, the embedded malicious code executes in the context of the Nuclio function container.
The exploitation path involves:
- Authenticating to the target CVAT instance
- Crafting a malicious pickle/jsonpickle payload with embedded code execution
- Submitting the payload to a vulnerable tracker function (TransT or SiamMask)
- Achieving code execution when the function deserializes the state
import rq
from django.conf import settings
from django.core.exceptions import ObjectDoesNotExist, ValidationError
+from django.core.signing import BadSignature, TimestampSigner
from drf_spectacular.types import OpenApiTypes
from drf_spectacular.utils import (
OpenApiParameter,
Source: GitHub Commit Details
The patch introduces TimestampSigner from Django's cryptographic signing module to validate serialized state data, preventing attackers from injecting malicious payloads.
Detection Methods for CVE-2025-23045
Indicators of Compromise
- Unusual process spawning from Nuclio function containers
- Unexpected network connections originating from tracker function containers
- Anomalous file system modifications within serverless function environments
- Authentication events followed by tracker function calls with abnormally large or encoded payloads
Detection Strategies
- Monitor for suspicious Python object instantiation patterns in application logs
- Implement network segmentation monitoring for Nuclio containers
- Audit tracker function invocations for unusual payload sizes or encoding
- Review authentication logs for accounts making repeated tracker function requests
Monitoring Recommendations
- Enable verbose logging for CVAT lambda manager views
- Implement application-layer intrusion detection for serialized data patterns
- Monitor Nuclio function container resource utilization for anomalies
- Set up alerts for any shell command execution from within function containers
How to Mitigate CVE-2025-23045
Immediate Actions Required
- Upgrade to CVAT version 2.26.0 or later immediately
- If upgrade is not possible, shut down TransT and SiamMask function instances
- Audit custom tracker functions for use of pickle or jsonpickle serialization
- Review access logs for any suspicious tracker function activity
Patch Information
The vulnerability has been addressed in CVAT version 2.26.0. The security fix is available in commit 563e1dfde64b15fa042b23f9d09cd854b35f0366. The patch introduces Django's TimestampSigner for cryptographic validation of serialized state data, preventing malicious payload injection.
For detailed information, refer to the GitHub Security Advisory and the patch commit.
Workarounds
- Disable or shut down TransT tracker function instances until patched
- Disable or shut down SiamMask tracker function instances until patched
- Review and migrate custom tracker functions to use safe serialization (e.g., JSON with explicit schema validation)
- Implement network isolation for Nuclio function containers to limit blast radius
# Configuration example
# Shut down vulnerable tracker functions
docker stop cvat_nuclio_TransT
docker stop cvat_nuclio_SiamMask
# Verify no tracker functions are running
docker ps | grep -E "(TransT|SiamMask)"
# After upgrade to 2.26.0+, restart services
docker-compose up -d
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
