AVID-2026-R1483

Description

Vulnerability CVE-2024-34997

Details

joblib v1.4.2 was discovered to contain a deserialization vulnerability via the component joblib.numpy_pickle::NumpyArrayWrapper().read_array(). NOTE: this is disputed by the supplier because NumpyArrayWrapper is only used during caching of trusted content.

Reason for inclusion in AVID: CVE-2024-34997 describes a deserialization vulnerability in the Python library joblib, which is widely used in ML pipelines and AI software stacks for caching/serialization. This directly affects software components used to build/train/deploy AI systems (e.g., joblib, typical ML workflows), thus impacting the software supply chain of general-purpose AI systems. The vulnerability is security-focused (deserialization leading to potential exploitation) and the report provides explicit CVE entry, description, and references, establishing sufficient signal for curation. Although there is vendor dispute over the exact scope, the AVID signal remains relevant for AI software supply chains.

References

• NVD entry
• https://github.com/joblib/joblib/issues/977
• https://github.com/joblib/joblib/issues/1582

Affected or Relevant Artifacts

• Developer: n/a
• Deployer: n/a
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2024-05-17
• Version: 0.3.3
• AVID Entry