We use cookies to improve your experience on our site.
AVID-2026-R1363
Description
flairNLP flair Mode File Loader clustering.py ClusteringModel code injection (CVE-2024-10073)
Details
A vulnerability, which was classified as critical, was found in flairNLP flair 0.14.0. Affected is the function ClusteringModel of the file flair\models\clustering.py of the component Mode File Loader. The manipulation leads to code injection. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Reason for inclusion in AVID: The CVE describes a code-injection vulnerability in Flair NLP (flair 0.14.0) affecting the ClusteringModel in the Mode File Loader. Flair is an AI/NLP library used in ML pipelines, so this vulnerability concerns AI software stacks and their deployment/run components. It enables remote code execution, a clear security risk in software used to build/train/deploy AI systems. Public CVE entry with references supports sufficiency of evidence for AVID curation.
References
- NVD entry
- https://vuldb.com/?id.280722
- https://vuldb.com/?ctiid.280722
- https://vuldb.com/?submit.420055
- https://github.com/bayuncao/vul-cve-20
- https://github.com/bayuncao/vul-cve-20/blob/main/PoC.py
Affected or Relevant Artifacts
- Developer: flairNLP
- Deployer: flairNLP
- Artifact Details:
| Type | Name |
|---|---|
| System | flair |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.1 |
| Vector String | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L |
| Base Score | 5.0 |
| Base Severity | 🟠 Medium |
CWE
| ID | Description |
|---|---|
| CWE-94 | Code Injection |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2024-10-17
- Version: 0.3.3
- AVID Entry