Miggo Logo
Miggo Vulnerability Database
CVE-2024-49048

CVE-2024-49048: TorchGeo Remote Code Execution Vulnerability

8.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-49048
GHSA ID
GHSA-g5vp-j278-8pjh
EPSS Score
0.55058%
CWE
CWE-94
Published
11/12/2024
Updated
1/21/2025
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
torchgeopip>= 0, < 0.6.10.6.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper code injection via eval() in the model weight API. The GitHub PR #2323 explicitly shows removal of eval() usage in get_weight function to fix security issues. The CVE description and patch notes confirm this was the attack vector. The eval() function in get_weight allowed execution of arbitrary strings passed as weight identifiers, matching CWE-94 (Code Injection) characteristics.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Tor****o R*mot* *o** *x**ution Vuln*r**ility

Reasoning

T** vuln*r**ility st*ms *rom improp*r *o** inj**tion vi* *v*l() in t** mo**l w*i**t *PI. T** *it*u* PR #**** *xpli*itly s*ows r*mov*l o* *v*l() us*** in **t_w*i**t *un*tion to *ix s**urity issu*s. T** *V* **s*ription *n* p*t** not*s *on*irm t*is w*s