Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for docarray by linuxfoundation

    CVE-2025-5150 (GCVE-0-2025-5150)

    Vulnerability from nvd – Published: 2025-05-25 15:00 – Updated: 2025-05-28 17:38
    VLAI
    Title
    docarray Web API torch_dataset.py __getitem__ prototype pollution
    Summary
    A vulnerability was found in docarray up to 0.40.1. It has been rated as critical. Affected by this issue is the function __getitem__ of the file /docarray/data/torch_dataset.py of the component Web API. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
    • CWE-94 - Code Injection
    Assigner
    References
    URL Tags
    https://vuldb.com/?id.310238 vdb-entrytechnical-description
    https://vuldb.com/?ctiid.310238 signaturepermissions-required
    https://vuldb.com/?submit.574696 third-party-advisory
    https://gist.github.com/superboy-zjc/56502343bcb1… exploit
    Impacted products
    Vendor Product Version
    n/a docarray Affected: 0.40.0
    Affected: 0.40.1
    Credits
    Gavin Zhong (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-5150",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-27T14:21:27.308517Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-28T17:38:30.293Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://gist.github.com/superboy-zjc/56502343bcb12eb653081b426debf2c8"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "modules": [
                "Web API"
              ],
              "product": "docarray",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.40.0"
                },
                {
                  "status": "affected",
                  "version": "0.40.1"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Gavin Zhong (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was found in docarray up to 0.40.1. It has been rated as critical. Affected by this issue is the function __getitem__ of the file /docarray/data/torch_dataset.py of the component Web API. The manipulation leads to improperly controlled modification of object prototype attributes (\u0027prototype pollution\u0027). The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
            },
            {
              "lang": "de",
              "value": "Eine kritische Schwachstelle wurde in docarray bis 0.40.1 ausgemacht. Betroffen davon ist die Funktion __getitem__ der Datei /docarray/data/torch_dataset.py der Komponente Web API. Mittels dem Manipulieren mit unbekannten Daten kann eine improperly controlled modification of object prototype attributes (\u0027prototype pollution\u0027)-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 6.5,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1321",
                  "description": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "Code Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-25T15:00:07.698Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-310238 | docarray Web API torch_dataset.py __getitem__ prototype pollution",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/?id.310238"
            },
            {
              "name": "VDB-310238 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/?ctiid.310238"
            },
            {
              "name": "Submit #574696 | docarray 0.40.1 Improperly Controlled Modification of Object Prototype Attribute",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/?submit.574696"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://gist.github.com/superboy-zjc/56502343bcb12eb653081b426debf2c8"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-05-24T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2025-05-24T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2025-05-24T19:41:02.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "docarray Web API torch_dataset.py __getitem__ prototype pollution"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2025-5150",
        "datePublished": "2025-05-25T15:00:07.698Z",
        "dateReserved": "2025-05-24T17:35:59.271Z",
        "dateUpdated": "2025-05-28T17:38:30.293Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-5150 (GCVE-0-2025-5150)

    Vulnerability from cvelistv5 – Published: 2025-05-25 15:00 – Updated: 2025-05-28 17:38
    VLAI
    Title
    docarray Web API torch_dataset.py __getitem__ prototype pollution
    Summary
    A vulnerability was found in docarray up to 0.40.1. It has been rated as critical. Affected by this issue is the function __getitem__ of the file /docarray/data/torch_dataset.py of the component Web API. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
    • CWE-94 - Code Injection
    Assigner
    References
    URL Tags
    https://vuldb.com/?id.310238 vdb-entrytechnical-description
    https://vuldb.com/?ctiid.310238 signaturepermissions-required
    https://vuldb.com/?submit.574696 third-party-advisory
    https://gist.github.com/superboy-zjc/56502343bcb1… exploit
    Impacted products
    Vendor Product Version
    n/a docarray Affected: 0.40.0
    Affected: 0.40.1
    Credits
    Gavin Zhong (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-5150",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-27T14:21:27.308517Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-28T17:38:30.293Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://gist.github.com/superboy-zjc/56502343bcb12eb653081b426debf2c8"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "modules": [
                "Web API"
              ],
              "product": "docarray",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.40.0"
                },
                {
                  "status": "affected",
                  "version": "0.40.1"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Gavin Zhong (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was found in docarray up to 0.40.1. It has been rated as critical. Affected by this issue is the function __getitem__ of the file /docarray/data/torch_dataset.py of the component Web API. The manipulation leads to improperly controlled modification of object prototype attributes (\u0027prototype pollution\u0027). The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
            },
            {
              "lang": "de",
              "value": "Eine kritische Schwachstelle wurde in docarray bis 0.40.1 ausgemacht. Betroffen davon ist die Funktion __getitem__ der Datei /docarray/data/torch_dataset.py der Komponente Web API. Mittels dem Manipulieren mit unbekannten Daten kann eine improperly controlled modification of object prototype attributes (\u0027prototype pollution\u0027)-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 6.5,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1321",
                  "description": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "Code Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-25T15:00:07.698Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-310238 | docarray Web API torch_dataset.py __getitem__ prototype pollution",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/?id.310238"
            },
            {
              "name": "VDB-310238 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/?ctiid.310238"
            },
            {
              "name": "Submit #574696 | docarray 0.40.1 Improperly Controlled Modification of Object Prototype Attribute",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/?submit.574696"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://gist.github.com/superboy-zjc/56502343bcb12eb653081b426debf2c8"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-05-24T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2025-05-24T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2025-05-24T19:41:02.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "docarray Web API torch_dataset.py __getitem__ prototype pollution"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2025-5150",
        "datePublished": "2025-05-25T15:00:07.698Z",
        "dateReserved": "2025-05-24T17:35:59.271Z",
        "dateUpdated": "2025-05-28T17:38:30.293Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }