CRITICAL🇵🇱 Wersja polska

CVE-2024-10190

CVSS 9.8v3.0pub. 2025-03-20upd. 2025-12-11

Horovod versions up to and including v0.28.1 are vulnerable to unauthenticated remote code execution. The vulnerability is due to improper handling of base64-encoded data in the `ElasticRendezvousHandler`, a subclass of `KVStoreHandler`. Specifically, the `_put_value` method in `ElasticRendezvousHandler` calls `codec.loads_base64(value)`, which eventually invokes `cloudpickle.loads(decoded)`. This allows an attacker to send a malicious pickle object via a PUT request, leading to arbitrary code execution on the server.

🤖 AI Analysis
How it works

The vulnerability lies in the `ElasticRendezvousHandler` class, a subclass of `KVStoreHandler`. The `_put_value` method decodes data from base64 format via `codec.loads_base64(value)`, then calls `cloudpickle.loads(decoded)` on the obtained data. The `cloudpickle` library performs deserialization without any content validation, meaning an attacker can send a malicious pickle object in an HTTP PUT request. As a result of deserialization, the server executes arbitrary code contained in the crafted payload.

Impact

An unauthenticated remote attacker can execute arbitrary code on the server (RCE), which in practice means complete machine takeover, data theft, backdoor installation, or further lateral movement in the infrastructure.

Mitigation & patch

Apply patches available from the vendor according to references. It is also recommended to restrict network access to ElasticRendezvous endpoints only to trusted hosts (e.g., using firewall or network rules) as a temporary measure until updates are applied.

Who is affected

Horovod in all versions up to and including v0.28.1

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Horovod

    APP
    Horovod
    ≤ 0.28.1
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEDeserialization
CWE
References

Related vulnerabilities

CVE-2022-0315HIGH7.5ten sam produkt

Insecure Temporary File in GitHub repository horovod/horovod prior to 0.24.0.