CVE-2024-9701

CRITICAL9.8EPSS 6.1%

Kedro deserialization vulnerability

Published: 3/20/2025Modified: 3/21/2025

Description

A Remote Code Execution (RCE) vulnerability has been identified in the Kedro ShelveStore class (version 0.19.8). This vulnerability allows an attacker to execute arbitrary Python code via deserialization of malicious payloads, potentially leading to a full system compromise. The ShelveStore class uses Python's shelve module to manage session data, which relies on pickle for serialization. Crafting a malicious payload and storing it in the shelve file can lead to RCE when the payload is deserialized.

Affected packages (1)

PyPI/kedrofrom 0, < 0.19.9

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-9701
PATCHhttps://github.com/kedro-org/kedro
WEBhttps://github.com/kedro-org/kedro/commit/66e5e074b2789469550370f370c8b486f638d975
WEBhttps://huntr.com/bounties/96c77fef-93b2-4d4d-8cbe-57a718d8eea5