CVE-2025-49135
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-06-25

Last updated on: 2025-09-15

Assigner: GitHub, Inc.

Description
CVAT is an open source interactive video and image annotation tool for computer vision. Versions 2.2.0 through 2.39.0 have no validation during the import process of a project or task backup to check that the filename specified in the query parameter refers to a TUS-uploaded file belonging to the same user. As a result, if an attacker with a CVAT account and a `user` role knows the filenames of other users' uploads, they could potentially access and steal data by creating projects or tasks using those files. This issue does not affect annotation or dataset TUS uploads, since in this case object-specific temporary directories are used. Users should upgrade to CVAT 2.40.0 or a later version to receive a patch. No known workarounds are available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-06-25
Last Modified
2025-09-15
Generated
2026-05-07
AI Q&A
2025-06-25
EPSS Evaluated
2026-05-05
NVD
CVE-2025-49135
EUVD
EUVD-2025-28282
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
cvat computer_vision_annotation_tool From 2.2.0 (inc) to 2.40.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-49135 is a vulnerability in CVAT versions 2.2.0 through 2.39.0 where the system does not validate during the import process that a filename specified in the query parameter belongs to a TUS-uploaded file owned by the same user. This means an attacker with a CVAT user account and knowledge of other users' filenames can create projects or tasks using those files, potentially accessing and stealing data. The vulnerability affects project or task backup imports but not annotation or dataset uploads, which use user-specific temporary directories. The issue is fixed in CVAT version 2.40.0 by adding validation to ensure file ownership during import. [1, 2]


How can this vulnerability impact me? :

This vulnerability can impact you by allowing an attacker with a valid CVAT user account and knowledge of other users' uploaded filenames to access and steal data from those users by creating projects or tasks that reference those files. The impact is limited to confidentiality, meaning unauthorized data disclosure could occur, but there is no effect on data integrity or system availability. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by attempting to import project or task backups referencing TUS-uploaded files that belong to other users. If the system allows such imports without validation errors, it is vulnerable. Specifically, one can test the import API endpoints by sending requests with query parameters specifying filenames known to belong to other users. A successful import or lack of an HTTP 400 Bad Request error with messages like "No such file were uploaded" indicates vulnerability. There are no specific network commands provided, but testing the import API with unauthorized filenames is the method. [2]


What immediate steps should I take to mitigate this vulnerability?

The immediate step to mitigate this vulnerability is to upgrade CVAT to version 2.40.0 or later, where the issue has been patched by adding validation to ensure that only files uploaded by the requesting user can be used in import operations. No other workarounds are available. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart