We use cookies to improve your experience on our site.
AVID-2026-R1127
Description
Vulnerability CVE-2022-40432
Details
The d8s-strings for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-hypothesis package. The affected version is 0.1.0.
Reason for inclusion in AVID: CVE-2022-40432 describes a code-execution backdoor injected into a Python PyPI package (d8s-strings) by a third party, affecting at least version 0.1.0. This is a software supply-chain vulnerability in a package that could be used within AI software stacks (dependencies or tooling in ML pipelines). The vulnerability is security-related (RCE) and there is explicit evidence in the CVE entry and linked sources (NVD, PyPI pages, issue discussion). This aligns with AVID’s focus on software supply chain issues affecting general-purpose AI systems.
References
- NVD entry
- https://pypi.org/project/d8s-strings/
- https://pypi.org/project/democritus-hypothesis/
- https://github.com/democritus-project/d8s-strings/issues/21
Affected or Relevant Artifacts
- Developer: n/a
- Deployer: n/a
- Artifact Details:
| Type | Name |
|---|---|
| System | n/a |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2022-09-19
- Version: 0.3.3
- AVID Entry