We use cookies to improve your experience on our site.
AVID-2026-R1129
Description
Vulnerability CVE-2022-40811
Details
The d8s-urls for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-file-system package. The affected version is 0.1.0.
Reason for inclusion in AVID: CVE-2022-40811 describes a backdoor inserted into a PyPI-distributed package (democritus-file-system) bundled with d8s-urls for Python, enabling potential code execution. This is a software supply-chain compromise in a Python package, which can impact AI workflows that rely on PyPI dependencies in AI pipelines, model serving stacks, or tooling. The report provides concrete signals (NVD entry, PyPI project page, GitHub issue) indicating a genuine vulnerability in a software supply chain. While not AI-specific, it affects components commonly used to build/run AI systems, satisfying the AI-supply-chain criteria.
References
- NVD entry
- https://pypi.org/project/democritus-file-system/
- https://github.com/democritus-project/d8s-urls/issues/11
Affected or Relevant Artifacts
- Developer: n/a
- Deployer: n/a
- Artifact Details:
| Type | Name |
|---|---|
| System | n/a |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2022-09-19
- Version: 0.3.3
- AVID Entry