File Manipulation Vulnerability in CVAT by CVAT-AI
CVE-2025-64485

5.3MEDIUM

Key Information:

Vendor: Cvat-ai
Status: Cvat
Vendor: CVE Published:; 7 November 2025

What is CVE-2025-64485?

The CVAT open-source interactive video and image annotation tool has a vulnerability that allows users with at least the User global role to create or overwrite files on the mounted file share. In cases where no file share is mounted, users can still create files in the share directory of the import worker container. This issue has been addressed in version 2.49.0, which resolves the risks associated with disk space exploitation and file management within the application.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

cvat <= 2.4.0, < 2.49.0

References

https://github.com/cvat-ai/cvat/security/advisories/GHSA-...

x_refsource_CONFIRM

https://github.com/cvat-ai/cvat/commit/cace877189528a7ed4...

x_refsource_MISC

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 7, 2025
Vulnerability Reserved
Nov 5, 2025

JSON

Cvat-ai

What is CVE-2025-64485?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V4

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.