CVE-2024-12215: Kedro allows Remote Code Execution by Pulling Micro Packages

March 20, 2025 (updated March 21, 2025)

In kedro-org/kedro version 0.19.8, the pull_package() API function allows users to download and extract micro packages from the Internet. However, the function project_wheel_metadata() within the code path can execute the setup.py file inside the tar file, leading to remote code execution (RCE) by running arbitrary commands on the victim’s machine.

References

github.com/advisories/GHSA-rm69-wvpv-r2w7
github.com/kedro-org/kedro
huntr.com/bounties/fad27503-97a4-4933-91d4-96223b8c54d8
nvd.nist.gov/vuln/detail/CVE-2024-12215

Code Behaviors & Features

Detect and mitigate CVE-2024-12215 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →