AVID-2026-R1646

Description

MD5 Hash Collision in SageMaker Workflow in aws/sagemaker-python-sdk (CVE-2025-0508)

Details

A vulnerability in the SageMaker Workflow component of aws/sagemaker-python-sdk allows for the possibility of MD5 hash collisions in all versions. This can lead to workflows being inadvertently replaced due to the reuse of results from different configurations that produce the same MD5 hash. This issue can cause integrity problems within the pipeline, potentially leading to erroneous processing outcomes.

Reason for inclusion in AVID: The CVE describes an MD5 hash collision vulnerability in the SageMaker Workflow component of the aws/sagemaker-python-sdk, which can cause integrity issues in ML pipelines. This directly concerns AI software tooling and workflows used to build/deploy general-purpose AI systems, representing a software supply chain risk in AI stacks (dependencies, runtimes, model serving/workflow orchestration). The vulnerability is security-related (integrity risk) and is supported by CVE details and references, providing sufficient evidence for classification.

References

• NVD entry
• https://huntr.com/bounties/eb056818-5b81-466f-81ee-916058d34af2
• https://github.com/aws/sagemaker-python-sdk/commit/dcdd99f911e8b1a05d19cf1ad939b0fefae47864

Affected or Relevant Artifacts

• Developer: aws
• Deployer: aws
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2025-03-20
• Version: 0.3.3
• AVID Entry