CVE-2025-64485
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-08

Last updated on: 2025-11-12

Assigner: GitHub, Inc.

Description
CVAT is an open source interactive video and image annotation tool for computer vision. In versions 2.4.0 through 2.48.1, a malicious CVAT user with at least the User global role may create files in the root of the mounted file share, or overwrite existing files. If no file share is mounted, the user will be able to create files in the share directory of the import worker container, potentially filling up disk space. This issue is fixed in version 2.49.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-08
Last Modified
2025-11-12
Generated
2026-06-16
AI Q&A
2025-11-08
EPSS Evaluated
2026-06-15
NVD
CVE-2025-64485
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
cvat-ai cvat 2.49.0
cvat-ai cvat 2.48.1
cvat-ai cvat 2.4.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in CVAT versions 2.4.0 through 2.48.1 allows a malicious user with at least the User global role to create or overwrite files in the root of the mounted file share. If no file share is mounted, the user can create files in the share directory of the import worker container, which could potentially fill up disk space. This issue is fixed in version 2.49.0.

Impact Analysis

The vulnerability can allow a malicious user to create or overwrite files in critical directories, potentially leading to unauthorized file manipulation or disk space exhaustion. This could disrupt normal operations, cause denial of service due to full disk space, or lead to data integrity issues.

Mitigation Strategies

Upgrade CVAT to version 2.49.0 or later, as this version contains the fix for the vulnerability. Additionally, restrict the User global role permissions to trusted users only and monitor file creation in the mounted file share or import worker container directories to prevent unauthorized file creation or overwriting.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-64485. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart