Product Research Enterprise Plans Docs

PyPi: Label-Studio

CVE-2023-47116

Safety vulnerability ID: 64822

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Jan 31, 2024 Updated at Dec 19, 2025

Scan your Python projects for vulnerabilities →

Advisory

[This advisory has been limited. Please create a free account to view the full advisory.]

Affected package

label-studio

Latest version: 1.22.0

Label Studio annotation tool

Affected versions

[This affected versions has been limited. Please create a free account to view the full affected versions.]

Fixed versions

[This fixed versions has been limited. Please create a free account to view the full fixed versions.]

Vulnerability changelog

🌟 What's New

🎉 New Features

Consolidated Label Studio Codebase

This release introduces a simplified Label Studio repository structure.

Previously, the Label Studio frontend and Data Manager codebases were each located in a separate repository: [label-studio-frontend](https://github.com/HumanSignal/label-studio-frontend) and [dm2](https://github.com/HumanSignal/dm2). Starting with this release, the Label Studio Frontend and Data Manager code will be updated and maintained in the main [label-studio](https://github.com/HumanSignal/label-studio/tree/develop) repository.

The Label Studio Frontend code is now located in the label-studio repository under **`web/libs/editor`,** and the Data Manager code can be found under **`web/libs/datamanager`.** For more information, see our [contributing guide](https://github.com/HumanSignal/label-studio/blob/develop/CONTRIBUTING.md#code-organization).

This consolidated codebase has many benefits, including streamlined and simplified workflows, increased efficiency when performing cross-component changes, and improved navigation. Most importantly, a unified codebase will make it easier for our Open Source community to navigate and understand the Label Studio code architecture, lowering the barrier to entry for new contributors. ([5154](https://github.com/HumanSignal/label-studio/pull/5154))

🔐 Security

- This release includes several measures to increase SSRF protection (5316), which address [`CVE-2023-47116`](https://github.com/HumanSignal/label-studio/security/advisories/GHSA-p59w-9gqw-wj8r) (https://github.com/HumanSignal/label-studio/pull/5316):
- When `SSRF_PROTECTION_ENABLED` is set to `true` (note that it defaults to `false`), our new default is to ban [all IPs within reserved blocks](https://en.wikipedia.org/wiki/Reserved_IP_addresses), for both IPv4 and IPv6.
- We are introducing two new environment variables, to be used in conjunction with `SSRF_PROTECTION_ENABLED=true`:
`USER_ADDITIONAL_BANNED_SUBNETS` — Use this to specify additional IP addresses or CIDR blocks to ban from server-side requests (e.g. the URL-based file uploader).
`USE_DEFAULT_BANNED_SUBNETS` — This is set to `True` by default. If you would like to have full control over banned subnets, you can set this to `False` and use `USER_ADDITIONAL_BANNED_SUBNETS` to specify all the IP addresses / CIDR blocks you’d like to disallow instead.
- We have also improved our error messages to make it clearer when an action is being blocked due to SSRF protections.
- Implemented comprehensive HTML sanitization to safeguard against vulnerabilities and ensure a secure user experience. ([5232](https://github.com/HumanSignal/label-studio/pull/5232))
- Addressed several vulnerabilities found in the npm-axios package. ([5229](https://github.com/HumanSignal/label-studio/pull/5229))

🐞 Bug Fixes

- Fixed an issue where Label Studio crashed when configuring multiple hotkeys using the `hotkey=","` format. ([5240](https://github.com/HumanSignal/label-studio/pull/5240))
- Fixed an issue where credential validation was failing in the Label Studio interface for cloud storages configured using SDK. ([5228](https://github.com/HumanSignal/label-studio/pull/5228))
- Fixed an issue where cancelled and updated annotations were not recalculating `is_labeled` and other counters. ([4472](https://github.com/HumanSignal/label-studio/pull/4472))
- Fixed an issue where annotation drafts were not changing when switching to view all mode. ([5141](https://github.com/HumanSignal/label-studio/pull/5141))
- Fixed an issue where users would encounter an error when using the **Storage filename** filter in the Data Manager. ([5289](https://github.com/HumanSignal/label-studio/pull/5289))
- Fixed an issue where users were unable to use the **View all annotations** option when the project included images that had an empty URL. ([5245](https://github.com/HumanSignal/label-studio/pull/5245))
- Fixed an issue where relations were not displayed if they were added by a user while reviewing a task. ([5140](https://github.com/HumanSignal/label-studio/pull/5140))
- Fixed an issue where users were seeing the Comments tab (an Enterprise-only feature) when resizing their screen. ([5230](https://github.com/HumanSignal/label-studio/pull/5230))

🤩 Contributors

- juliosgarbi
- jombooth
- Gondragos
- hlomzik
- KonstantinKorotaev
- makseq
- Travis1282

Resources

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-47116

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

MEDIUM 5.3

CVSS v3 Details

MEDIUM 5.3

Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality Impact (C): LOW
Integrity Impact (I): NONE
Availability Availability (A): NONE