We use cookies to improve your experience on our site.
AVID-2026-R1128
Description
Vulnerability CVE-2022-40808
Details
The d8s-dates for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-hypothesis package. The affected version is 0.1.0
Reason for inclusion in AVID: CVE-2022-40808 describes a code-execution backdoor inserted into a Python package distributed on PyPI (d8s-dates), via a malicious dependency (democritus-hypothesis). This is a software supply chain vulnerability in a Python ecosystem artifact, which could impact AI systems that depend on Python libraries or pipelines. While not AI-specific, it concerns software commonly used in ML pipelines and deployment. The report provides clear evidence (CVE record, PyPI page, issue tracker) of a security vulnerability in a software supply chain artifact.
References
- NVD entry
- https://pypi.org/project/democritus-hypothesis/
- https://github.com/democritus-project/d8s-dates/issues/26
Affected or Relevant Artifacts
- Developer: n/a
- Deployer: n/a
- Artifact Details:
| Type | Name |
|---|---|
| System | n/a |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2022-09-19
- Version: 0.3.3
- AVID Entry