Remote Code Execution Vulnerability in Kedro ShelveStore by Kedro
CVE-2024-9701

9.8CRITICAL

Key Information:

Vendor: Kedro-org
Status: Kedro-org/kedro
Vendor: CVE Published:; 20 March 2025

What is CVE-2024-9701?

A vulnerability has been discovered in the Kedro ShelveStore class that permits remote code execution through the deserialization of crafted payloads. This issue arises from the use of Python's shelve module to manage session data, which employs the pickle serialization method. Attackers can exploit this vulnerability by creating and storing a malicious payload in a shelve file, which when deserialized, could execute arbitrary Python code. This flaw poses a significant risk as it may lead to a complete system compromise.

Affected Version(s)

kedro-org/kedro < 0.19.9

References

https://huntr.com/bounties/96c77fef-93b2-4d4d-8cbe-57a718...

https://github.com/kedro-org/kedro/commit/d79fa51de55ac0c...

CVSS V3.0

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 20, 2025
Vulnerability Reserved
Oct 9, 2024

CVE-2024-9701 Data

JSON

Kedro-org

What is CVE-2024-9701?

Affected Version(s)

References

CVSS V3.0

Timeline