{"id":"CVE-2024-10190","details":"Horovod versions up to and including v0.28.1 are vulnerable to unauthenticated remote code execution. The vulnerability is due to improper handling of base64-encoded data in the `ElasticRendezvousHandler`, a subclass of `KVStoreHandler`. Specifically, the `_put_value` method in `ElasticRendezvousHandler` calls `codec.loads_base64(value)`, which eventually invokes `cloudpickle.loads(decoded)`. This allows an attacker to send a malicious pickle object via a PUT request, leading to arbitrary code execution on the server.","aliases":["GHSA-mrhh-3ggq-23p2"],"modified":"2026-04-10T05:08:03.536175Z","published":"2025-03-20T10:15:15.117Z","references":[{"type":"REPORT","url":"https://huntr.com/bounties/3e398d1f-70c2-4e05-ae22-f5d66b19a754"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/horovod/horovod","events":[{"introduced":"0"},{"last_affected":"1d217b59949986d025f6db93c49943fb6b6cc78f"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"0.28.1"}]}}],"versions":["v0.10.0","v0.10.1","v0.10.2","v0.11.0","v0.11.1","v0.11.2","v0.11.3","v0.12.0","v0.12.1","v0.13.0","v0.13.1","v0.13.10","v0.13.11","v0.13.2","v0.13.3","v0.13.4","v0.13.5","v0.13.6","v0.13.7","v0.13.8","v0.14.0","v0.14.1","v0.15.0","v0.15.1","v0.15.2","v0.16.0","v0.16.1","v0.16.2","v0.16.3","v0.16.4","v0.17.0","v0.17.0.post1","v0.17.1","v0.18.0","v0.18.1","v0.18.2","v0.19.0","v0.19.1","v0.19.2","v0.20.0","v0.20.1","v0.20.2","v0.20.3","v0.21.0","v0.21.1","v0.21.2","v0.21.3","v0.22.0","v0.22.1","v0.23.0","v0.24.0","v0.24.1","v0.25.0","v0.26.0","v0.26.1","v0.27.0","v0.28.1","v0.9.0","v0.9.1","v0.9.10","v0.9.11","v0.9.12","v0.9.2","v0.9.3","v0.9.4","v0.9.5","v0.9.6","v0.9.7","v0.9.8","v0.9.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-10190.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}