{"id":"GHSA-rm69-wvpv-r2w7","summary":"Kedro allows Remote Code Execution by Pulling Micro Packages","details":"In kedro-org/kedro version 0.19.8, the `pull_package()` API function allows users to download and extract micro packages from the Internet. However, the function `project_wheel_metadata()` within the code path can execute the `setup.py` file inside the tar file, leading to remote code execution (RCE) by running arbitrary commands on the victim's machine.","aliases":["CVE-2024-12215"],"modified":"2025-10-15T17:31:37.829387Z","published":"2025-03-20T12:32:42Z","database_specific":{"cwe_ids":["CWE-20","CWE-829","CWE-94"],"severity":"HIGH","github_reviewed":true,"github_reviewed_at":"2025-03-21T17:25:31Z","nvd_published_at":"2025-03-20T10:15:27Z"},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-12215"},{"type":"PACKAGE","url":"https://github.com/kedro-org/kedro"},{"type":"WEB","url":"https://huntr.com/bounties/fad27503-97a4-4933-91d4-96223b8c54d8"}],"affected":[{"package":{"name":"kedro","ecosystem":"PyPI","purl":"pkg:pypi/kedro"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"last_affected":"0.19.8"}]}],"versions":["0.14.0","0.14.1","0.14.2","0.14.3","0.15.0","0.15.1","0.15.2","0.15.3","0.15.4","0.15.5","0.15.6","0.15.7","0.15.8","0.15.9","0.16.0","0.16.1","0.16.2","0.16.3","0.16.4","0.16.5","0.16.6","0.17.0","0.17.1","0.17.2","0.17.3","0.17.4","0.17.5","0.17.6","0.17.7","0.18.0","0.18.1","0.18.10","0.18.11","0.18.12","0.18.13","0.18.14","0.18.2","0.18.3","0.18.4","0.18.5","0.18.6","0.18.7","0.18.8","0.18.9","0.19.0","0.19.1","0.19.2","0.19.3","0.19.4","0.19.5","0.19.6","0.19.7","0.19.8"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-rm69-wvpv-r2w7/GHSA-rm69-wvpv-r2w7.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}