CVE-2025-25295 Overview
CVE-2025-25295 is a path traversal vulnerability in the Label Studio SDK affecting versions prior to 1.0.10. The flaw resides in the VOC, COCO, and YOLO export functions of the label-studio-sdk Python package. These functions invoke a download routine that fails to validate file paths when processing image references during task exports. Authenticated attackers can craft tasks containing traversal sequences in the image field to read arbitrary files from the server filesystem. Label Studio versions before 1.16.0 pin the vulnerable SDK as a dependency, and the issue was confirmed in Label Studio 1.13.2.dev0.
Critical Impact
Authenticated attackers can read arbitrary files from the host filesystem, exposing configuration files, credentials, and confidential project data.
Affected Products
- label-studio-sdk Python package versions prior to 1.0.10
- Label Studio versions prior to 1.16.0
- Label Studio 1.13.2.dev0 (confirmed vulnerable build)
Discovery Timeline
- 2025-02-14 - CVE-2025-25295 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-25295
Vulnerability Analysis
Label Studio is an open source data labeling tool widely used to prepare datasets for machine learning pipelines. The SDK exposes export utilities that convert annotation tasks into the VOC, COCO, and YOLO formats. During this conversion, the SDK resolves the image field of each task and calls an internal download helper to fetch the referenced file. The helper concatenates user-controlled path components without canonicalizing or constraining them to an allowed base directory.
This behavior maps to CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). Because export operations execute server-side under the application's privileges, the file read bypasses Label Studio's project-level isolation. Attackers can retrieve sensitive artifacts such as /etc/passwd, environment files, database credentials, and TLS private keys reachable by the service account.
Root Cause
The download function in the SDK trusts the image attribute supplied by task creators. It does not normalize traversal sequences like ../ or enforce that the resolved path stays within an export workspace. As a result, any authenticated user who can create or modify tasks can influence which file the server reads when exports run.
Attack Vector
An attacker with authenticated access to a Label Studio instance creates a task that places a traversal payload in the image field, for example a string resolving to ../../../../etc/passwd. The attacker then triggers a VOC, COCO, or YOLO export against the project. The SDK resolves the image reference, reads the targeted file, and embeds its contents in the exported archive that the attacker downloads. No user interaction beyond standard project workflows is required, and the network attack surface allows remote exploitation.
No verified public proof-of-concept code is referenced in the advisory. Refer to the GitHub Security Advisory GHSA-rgv9-w7jp-m23g for technical details.
Detection Methods for CVE-2025-25295
Indicators of Compromise
- Task records whose image field contains traversal sequences such as ../, ..\\, or absolute paths pointing outside the project media directory.
- Unexpected export archives (VOC, COCO, YOLO) containing files unrelated to project media, including system or configuration files.
- Application logs showing successful file reads from paths outside the configured Label Studio media root.
Detection Strategies
- Audit the Label Studio database for tasks whose data.image values contain .. segments or absolute filesystem paths.
- Review export job history for archives produced by non-administrative accounts shortly after task creation or edits.
- Compare installed label-studio-sdk version against 1.0.10 and Label Studio version against 1.16.0 to identify exposed deployments.
Monitoring Recommendations
- Alert on filesystem reads performed by the Label Studio service process targeting paths outside the application's media and project directories.
- Capture HTTP access logs for /api/projects/*/export endpoints and correlate with task creation events from the same user.
- Forward Label Studio application logs to a centralized analytics platform to enable retrospective hunting across export operations.
How to Mitigate CVE-2025-25295
Immediate Actions Required
- Upgrade Label Studio to version 1.16.0 or later, which depends on the patched label-studio-sdk1.0.10.
- Upgrade standalone deployments of the label-studio-sdk Python package to 1.0.10 or later.
- Review existing tasks for malicious image field values and remove or sanitize them before running exports.
- Rotate any credentials, API tokens, or keys that may have been accessible to the Label Studio service account.
Patch Information
The issue is fixed in label-studio-sdk1.0.10. The upstream fix is documented in the HumanSignal label-studio-sdk commit 4a9715c and tracked under GHSA-rgv9-w7jp-m23g. Label Studio users must upgrade the application to 1.16.0 or newer because earlier releases pin the vulnerable SDK as a dependency.
Workarounds
- Restrict project membership so only trusted users can create or modify tasks until the patched version is deployed.
- Run Label Studio under a dedicated low-privilege service account with filesystem access limited to the media and project directories.
- Apply mandatory access controls such as AppArmor or SELinux profiles to confine the Label Studio process to its working directories.
- Disable VOC, COCO, and YOLO export functionality for non-administrative roles until the upgrade is complete.
# Configuration example
pip install --upgrade "label-studio>=1.16.0" "label-studio-sdk>=1.0.10"
pip show label-studio label-studio-sdk | grep -E "Name|Version"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
