BestHub
Sign in
Information Security 3 min read

Label Studio <1.6.0 SSRF Vulnerability (CVE‑2022‑36551)

Label Studio versions prior to 1.6.0 contain an SSRF flaw that allows authenticated users to access arbitrary files on the server via the data import module, with self‑registration enabled by default, and a proof‑of‑concept exploit is publicly available.

Laravel Tech Community
Laravel Tech Community
Laravel Tech Community
Label Studio <1.6.0 SSRF Vulnerability (CVE‑2022‑36551)

Label Studio is an open‑source data annotation platform supporting audio, text, image, video, and time‑series inputs, and can export to various model formats. A vulnerability in the data import module of the community edition 1.5.0 and earlier permits authenticated users to perform server‑side request forgery (SSRF) to read arbitrary files on the system, and the default self‑registration feature allows remote attackers to create new accounts and then exploit the SSRF.

A proof‑of‑concept for this vulnerability exists.

Vulnerability Name

Label Studio <1.60 SSRF Vulnerability

Vulnerability Type

SSRF

Discovery Date

2022/10/4

Impact Scope

Broad

MPS Number

MPS-2022-52206

CVE Number

CVE-2022-36551

CNVD Number

-

Impact range: label‑studio@[0, 1.6.0) and label‑studio@(-∞, 1.6.0).

Remediation: Upgrade the label‑studio component to version 1.6.0 or later.

securityPatchvulnerabilityLabel StudioSSRFCVE-2022-36551
Laravel Tech Community
Written by

Laravel Tech Community

Specializing in Laravel development, we continuously publish fresh content and grow alongside the elegant, stable Laravel framework.

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment