Miggo Logo
Miggo Vulnerability Database
CVE-2024-10190

CVE-2024-10190:
Horovod Vulnerable to Command Injection

9.8

CVSS Score
3.0

Basic Information

CVE ID
CVE-2024-10190
GHSA ID
GHSA-mrhh-3ggq-23p2
EPSS Score
0.67502%
CWE
CWE-77
Published
3/20/2025
Updated
3/20/2025
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
horovodpip

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems directly from the _put_value method in ElasticRendezvousHandler handling user-controlled data through insecure deserialization. The method calls codec.loads_base64(value) which decodes and deserializes untrusted input via cloudpickle.loads(), a known unsafe practice for untrusted data. This function is explicitly referenced in all vulnerability descriptions as the attack entry point.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*orovo* v*rsions up to *n* in*lu*in* v*.**.* *r* vuln*r**l* to un*ut**nti**t** r*mot* *o** *x**ution. T** vuln*r**ility is *u* to improp*r **n*lin* o* **s***-*n*o*** **t* in t** `*l*sti*R*n**zvous**n*l*r`, * su**l*ss o* `KVStor***n*l*r`. Sp**i*i**lly

Reasoning

T** vuln*r**ility st*ms *ir**tly *rom t** _put_v*lu* m*t*o* in *l*sti*R*n**zvous**n*l*r **n*lin* us*r-*ontroll** **t* t*rou** ins**ur* **s*ri*liz*tion. T** m*t*o* **lls *o***.lo**s_**s***(v*lu*) w*i** ***o**s *n* **s*ri*liz*s untrust** input vi* *lou