An arbitrary code execution vulnerability exists in versions 0.0.8 and newer of the Refuel Autolabel library because of the way its multilabel classification tasks handle provided CSV files. If a user creates a multilabel classification task using a maliciously crafted CSV file containing Python code, the code will be passed to an eval function which executes it.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| refuel-autolabel(PyPI) | 0.0.8 | N/A | N/A |
CVSS Metrics
