PYSEC-2025-124

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/label-studio/PYSEC-2025-124.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2025-124
Aliases
Published
2025-05-14T23:15:48.213Z
Modified
2026-05-20T09:19:03.900919Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

Label Studio is a multi-type data labeling and annotation tool. A vulnerability in versions prior to 1.18.0 allows an attacker to inject a malicious script into the context of a web page, which can lead to data theft, session hijacking, unauthorized actions on behalf of the user, and other attacks. The vulnerability is reproducible when sending a properly formatted request to the POST /projects/upload-example/ endpoint. In the source code, the vulnerability is located at label_studio/projects/views.py. Version 1.18.0 contains a patch for the issue.

References

Affected packages

PyPI / label-studio

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.18.0

Affected versions

0.*
0.4.1
0.4.2
0.4.3
0.4.4
0.4.4.post1
0.4.4.post2
0.4.5
0.4.6
0.4.6.post1
0.4.6.post2
0.4.7
0.4.8
0.5.0
0.5.1
0.6.0
0.6.1
0.7.0
0.7.1
0.7.2
0.7.3
0.7.4
0.7.4.post0
0.7.4.post1
0.7.5.post1
0.7.5.post2
0.8.0
0.8.0.post0
0.8.1
0.8.1.post0
0.8.2
0.8.2.post0
0.9.0
0.9.0.post2
0.9.0.post3
0.9.0.post4
0.9.0.post5
0.9.1
0.9.1.post0
0.9.1.post1
0.9.1.post2
1.*
1.0.0
1.0.0.post0
1.0.0.post1
1.0.0.post2
1.0.0.post3
1.0.1
1.0.2
1.0.2.post0
1.1.0rc0
1.1.0
1.1.1
1.2
1.3
1.3.post0
1.3.post1
1.4
1.4.1
1.4.1.post0
1.4.1.post1
1.5.0
1.5.0.post0
1.6.0
1.7.0
1.7.1
1.7.2
1.7.3
1.8.0
1.8.1
1.8.2
1.8.2.post0
1.8.2.post1
1.9.0
1.9.1
1.9.1.post0
1.9.2
1.9.2.post0
1.10.0
1.10.0.post0
1.10.1
1.11.0
1.12.0
1.12.0.post0
1.12.1
1.13.0
1.13.1
1.14.0
1.14.0.post0
1.15.0
1.16.0
1.17.0

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/label-studio/PYSEC-2025-124.yaml"