SCA: security update for label-studio-sdk (GHSA-rgv9-w7jp-m23g)

high Tenable Cloud Security Plugin ID 420906

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Label Studio is an open source data labeling tool. A path traversal vulnerability in Label Studio SDK
versions prior to 1.0.10 allows unauthorized file access outside the intended directory structure. The
flaw exists in the VOC, COCO and YOLO export functionalities. These functions invoke a `download` function
on the `label-studio-sdk` python package, which fails to validate file paths when processing image
references during task exports. By creating tasks with path traversal sequences in the image field, an
attacker can force the application to read files from arbitrary server filesystem locations when exporting
projects in any of the mentioned formats. This is authentication-required vulnerability allowing arbitrary
file reads from the server filesystem. It may lead to potential exposure of sensitive information like
configuration files, credentials, and confidential data. Label Studio versions before 1.16.0 specified SDK
versions prior to 1.0.10 as dependencies, and the issue was confirmed in Label Studio version 1.13.2.dev0;
therefore, Label Studio users should upgrade to 1.16.0 or newer to mitigate it. (CVE-2025-25295)

See Also

https://github.com/advisories/GHSA-rgv9-w7jp-m23g

Plugin Details

Severity: High

ID: 420906

Version: Revision 1.8

Type: Local

Family: SCA Checks

Published: 2/14/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.92

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2025-25295

CVSS v3

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 4.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 8.7

Threat Score: 6.6

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 2/14/2025

Vulnerability Publication Date: 2/14/2025

Reference Information

CVE: CVE-2025-25295