Safety vulnerability ID: 76300
The information on this page was manually curated by our Cybersecurity Intelligence Team.
Horovod versions up to and including v0.28.1 are vulnerable to unauthenticated remote code execution. The vulnerability is due to improper handling of base64-encoded data in the ElasticRendezvousHandler, a subclass of KVStoreHandler. Specifically, the _put_value method in ElasticRendezvousHandler calls codec.loads_base64(value), which eventually invokes cloudpickle.loads(decoded). This allows an attacker to send a malicious pickle object via a PUT request, leading to arbitrary code execution on the server.
Latest version: 0.28.1
Distributed training framework for TensorFlow, Keras, PyTorch, and Apache MXNet.
This vulnerability has no description
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application