CVE-2025-0508: SageMaker Workflow component allows possibility of MD5 hash collisions

March 20, 2025 (updated March 21, 2025)

A vulnerability in the SageMaker Workflow component of aws/sagemaker-python-sdk allows for the possibility of MD5 hash collisions in all versions. This can lead to workflows being inadvertently replaced due to the reuse of results from different configurations that produce the same MD5 hash. This issue can cause integrity problems within the pipeline, potentially leading to erroneous processing outcomes.

References

github.com/advisories/GHSA-32g6-mg92-ghm2
github.com/aws/sagemaker-python-sdk
github.com/aws/sagemaker-python-sdk/commit/dcdd99f911e8b1a05d19cf1ad939b0fefae47864
huntr.com/bounties/eb056818-5b81-466f-81ee-916058d34af2
nvd.nist.gov/vuln/detail/CVE-2025-0508

Code Behaviors & Features

Detect and mitigate CVE-2025-0508 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →