We use cookies to improve your experience on our site.
AVID-2026-R1383
Description
Remote Code Execution in kedro-org/kedro (CVE-2024-12215)
Details
In kedro-org/kedro version 0.19.8, the pull_package() API function allows users to download and extract micro packages from the Internet. However, the function project_wheel_metadata() within the code path can execute the setup.py file inside the tar file, leading to remote code execution (RCE) by running arbitrary commands on the victim’s machine.
Reason for inclusion in AVID: The CVE describes a remote code execution vulnerability in kedro’s pull_package flow, where setup.py inside downloaded tarballs can be executed, enabling arbitrary code execution. Kedro is a Python framework widely used in ML/data-pipeline contexts; this directly affects software supply chains for AI systems (dependencies, pipelines, tooling). It is a software vulnerability (not hardware/firmware-only) with clear security impact (RCE) and sufficient evidence in the report.
References
Affected or Relevant Artifacts
- Developer: kedro-org
- Deployer: kedro-org
- Artifact Details:
| Type | Name |
|---|---|
| System | kedro-org/kedro |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.0 |
| Vector String | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| Base Score | 8.8 |
| Base Severity | 🔴 High |
| Attack Vector | NETWORK |
| Attack Complexity | 🟢 Low |
| Privileges Required | NONE |
| User Interaction | REQUIRED |
| Scope | UNCHANGED |
| Confidentiality Impact | 🔴 High |
| Integrity Impact | 🔴 High |
| Availability Impact | 🔴 High |
CWE
| ID | Description |
|---|---|
| CWE-94 | CWE-94 Improper Control of Generation of Code |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2025-03-20
- Version: 0.3.3
- AVID Entry