CVE-2025-25295: Label Studio has a Path Traversal Vulnerability via image Field
A path traversal vulnerability in Label Studio SDK versions prior to 1.0.10 allows unauthorized file access outside the intended directory structure. Label Studio versions before 1.16.0 specified SDK versions prior to 1.0.10 as dependencies, and the issue was confirmed in Label Studio version 1.13.2.dev0; therefore, Label Studio users should upgrade to 1.16.0 or newer to mitigate it. The flaw exists in the VOC, COCO and YOLO export functionalites. These functions invoke a download
function on the label-studio-sdk
python package, which fails to validate file paths when processing image references during task exports:
def download(
url,
output_dir,
filename=None,
project_dir=None,
return_relative_path=False,
upload_dir=None,
download_resources=True,
):
is_local_file = url.startswith("/data/") and "?d=" in url
is_uploaded_file = url.startswith("/data/upload")
if is_uploaded_file:
upload_dir = _get_upload_dir(project_dir, upload_dir)
filename = urllib.parse.unquote(url.replace("/data/upload/", ""))
filepath = os.path.join(upload_dir, filename)
logger.debug(
f"Copy {filepath} to {output_dir}".format(
filepath=filepath, output_dir=output_dir
)
)
if download_resources:
shutil.copy(filepath, output_dir)
if return_relative_path:
return os.path.join(
os.path.basename(output_dir), os.path.basename(filename)
)
return filepath
if is_local_file:
filename, dir_path = url.split("/data/", 1)[-1].split("?d=")
dir_path = str(urllib.parse.unquote(dir_path))
filepath = os.path.join(LOCAL_FILES_DOCUMENT_ROOT, dir_path)
if not os.path.exists(filepath):
raise FileNotFoundError(filepath)
if download_resources:
shutil.copy(filepath, output_dir)
return filepath
By creating tasks with path traversal sequences in the image field, an attacker can force the application to read files from arbitrary server filesystem locations when exporting projects in any of the mentioned formats.
Note that there are two different possible code paths leading to this result, one for the is_uploaded_file
and another one for the is_local_file
.
References
Detect and mitigate CVE-2025-25295 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →