A vulnerability in the `ImageClassificationDataset.from_csv()` API of the `dmlc/gluon-cv` repository, version 0.10.0, allows for arbitrary file write. The function downloads and extracts `tar.gz` files from URLs without proper sanitization, making it susceptible to a TarSlip vulnerability. Attackers can exploit this by crafting malicious tar files that, when extracted, can overwrite files on the victim's system via path traversal or faked symlinks.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| gluoncv(PyPI) | 0 | N/A | N/A |
CVSS Metrics
