CVE-2025-25295: Label Studio has a Path Traversal Vulnerability via image Field

February 14, 2025

A path traversal vulnerability in Label Studio SDK versions prior to 1.0.10 allows unauthorized file access outside the intended directory structure. Label Studio versions before 1.16.0 specified SDK versions prior to 1.0.10 as dependencies, and the issue was confirmed in Label Studio version 1.13.2.dev0; therefore, Label Studio users should upgrade to 1.16.0 or newer to mitigate it. The flaw exists in the VOC, COCO and YOLO export functionalites. These functions invoke a download function on the label-studio-sdk python package, which fails to validate file paths when processing image references during task exports:

def download(
url,
output_dir,
filename=None,
project_dir=None,
return_relative_path=False,
upload_dir=None,
download_resources=True,
):
is_local_file = url.startswith("/data/") and "?d=" in url
is_uploaded_file = url.startswith("/data/upload")

if is_uploaded_file:
upload_dir = _get_upload_dir(project_dir, upload_dir)
filename = urllib.parse.unquote(url.replace("/data/upload/", ""))
filepath = os.path.join(upload_dir, filename)
logger.debug(
f"Copy {filepath} to {output_dir}".format(
filepath=filepath, output_dir=output_dir
)
)
if download_resources:
shutil.copy(filepath, output_dir)
if return_relative_path:
return os.path.join(
os.path.basename(output_dir), os.path.basename(filename)
)
return filepath

if is_local_file:
filename, dir_path = url.split("/data/", 1)[-1].split("?d=")
dir_path = str(urllib.parse.unquote(dir_path))
filepath = os.path.join(LOCAL_FILES_DOCUMENT_ROOT, dir_path)
if not os.path.exists(filepath):
raise FileNotFoundError(filepath)
if download_resources:
shutil.copy(filepath, output_dir)
return filepath

By creating tasks with path traversal sequences in the image field, an attacker can force the application to read files from arbitrary server filesystem locations when exporting projects in any of the mentioned formats.

Note that there are two different possible code paths leading to this result, one for the is_uploaded_file and another one for the is_local_file.

References

Detect and mitigate CVE-2025-25295 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →