CNNVD-202510-738 Information
CNNVD ID
CNNVD-202510-738
Related CVE
- CNNVD Published: 2025-10-05
Description (Chinese)
ZenML是ZenML开源的一个可扩展的开源 MLOps 框架,用于创建可移植的、可用于生产的机器学习管道。 ZenML 0.83.1版本存在安全漏洞,该漏洞源于PathMaterializer类在data.tar.gz解压过程中验证文件时未能有效检测符号链接和硬链接,可能导致任意文件写入和任意命令执行。
Description (English)
ZenML is an extended open source MLOps framework for ZenML open source to create a portable machine learning conduit for production. The security gap in version ZenML 0.83.1 arises from the failure of the PathMaterializer class to effectively detect symbolic links and hard links during the decompression of documents in Data.tar.gz, which may lead to the writing of random documents and to arbitrary command execution.
Hazard Level
High
Vulnerability Type
其他
Affected Vendor
ZenML
Published
2025-10-05
Last Modified
2026-02-24
References
https://github.com/zenml-io/zenml/commit/5d22a48d7bf6c7f10b748577c2be79cc7969d398 https://huntr.com/bounties/a0880d64-9928-45bf-9663-2cd81582d9e7
Share on: