{"id":"PYSEC-2024-85","details":"Deserialization of untrusted data can occur in versions 23.10.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when using ‘finetune’ on it.","aliases":["CVE-2024-45855","GHSA-fr9q-rgwq-g5r5"],"modified":"2026-04-23T07:45:32.314154Z","published":"2024-09-12T13:15:00Z","references":[{"type":"EVIDENCE","url":"https://hiddenlayer.com/sai-security-advisory/2024-09-mindsdb/"},{"type":"ADVISORY","url":"https://hiddenlayer.com/sai-security-advisory/2024-09-mindsdb/"}],"affected":[{"package":{"name":"mindsdb","ecosystem":"PyPI","purl":"pkg:pypi/mindsdb"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"23.10.2.0"}]}],"versions":["23.10.2.0","23.10.3.0","23.10.3.1","23.10.5.0","23.11.1.0","23.11.4.0","23.11.4.1","23.11.4.4a6","23.12.4.0","23.12.4.1","23.12.4.2","24.1.4.0","24.2.3.0","24.3.4.0","24.3.4.1","24.3.4.2","24.3.5.0","24.4.2.0","24.4.2.1","24.4.3.0","24.5.4.0","24.6.1.0","24.6.1.1","24.6.2.0","24.6.2.2","24.6.3.0","24.6.3.1","24.6.4.1","24.7.1.0","24.7.2.0","24.7.3.0","24.7.4.0","24.7.4.1","24.7.5.0","24.8.1.0","24.8.1.1","24.8.2.0","24.8.3.0","24.8.4.0","24.9.1.0","24.9.2.0","24.9.2.1","24.9.3.0","24.9.3.1","24.9.3.2","24.9.4.0","24.9.4.1","24.10.1.0","24.10.2.0","24.10.3.0","24.10.4.0","24.10.4.1","24.10.4.2","24.10.5.0","24.11.1.0","24.11.1.1","24.11.2.0","24.11.3.0","24.11.4.0","24.11.4.1","24.11.4.2","24.12.1.0","24.12.2.0","24.12.2.1","24.12.3.0","24.12.2.2","24.12.4.0","25.1.2.0","25.1.2.1","25.1.3.0","25.1.4.0","25.1.5.0","25.1.5.1","25.1.5.2","25.1.5.3","25.2.1.0","25.2.1.2","25.2.2.0","25.2.2.1","25.2.2.2","25.2.3.0","25.2.4.0","25.3.1.0","25.3.2.0","25.3.3.0","25.3.4.0","25.3.4.1","25.3.4.2","25.4.1.0","25.4.2.0","25.4.2.1","25.4.3.0","25.4.3.1","25.4.3.2","25.4.4.0","25.4.5.0","25.5.3.0","25.5.4.0","25.5.4.1","25.5.4.2","25.6.2.0","25.6.3.0","25.6.3.1","25.6.4.0","25.7.1.0","25.7.2.0","25.7.3.0","25.7.4.0","25.8.2.0","25.8.3.0","25.9.1.0","25.9.1.1","25.9.1.2","25.9.2.0a1","25.9.3rc1","25.10.0rc1","25.10.0","25.10.1","25.11.0rc1","25.11.0rc2","25.11.0","25.11.1","25.12.0rc1","25.12.0","25.13.0rc1","25.13.0rc2","25.13.0","25.13.1","25.14.0rc1","25.14.0","25.14.1","26.0.0rc1","26.0.0rc2","26.0.0rc3","26.0.0","26.0.1","26.1.0rc1","26.1.0"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/mindsdb/PYSEC-2024-85.yaml"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}