File Manipulation Vulnerability in CVAT by CVAT-AI
CVE-2025-64485

5.3MEDIUM

Key Information:

Vendor: Cvat-ai
Status: Cvat
Vendor: CVE Published:; 7 November 2025

What is CVE-2025-64485?

The CVAT open-source interactive video and image annotation tool has a vulnerability that allows users with at least the User global role to create or overwrite files on the mounted file share. In cases where no file share is mounted, users can still create files in the share directory of the import worker container. This issue has been addressed in version 2.49.0, which resolves the risks associated with disk space exploitation and file management within the application.

Affected Version(s)

cvat <= 2.4.0, < 2.49.0

References

https://github.com/cvat-ai/cvat/security/advisories/GHSA-...

x_refsource_CONFIRM

https://github.com/cvat-ai/cvat/commit/cace877189528a7ed4...

x_refsource_MISC

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 7, 2025
Vulnerability Reserved
Nov 5, 2025

CVE-2025-64485 Data

JSON

Cvat-ai

What is CVE-2025-64485?

Affected Version(s)

References

CVSS V4

Timeline