AIKIDO-2025-10310
label-studio is vulnerable to Improper Control of Generation of Code (Code Injection)
81
High Risk
This Affects:
label-studioTL;DR
Affected versions of this package are vulnerable to arbitrary JavaScript execution due to the getProperty method's arguments not being sanitized before handling it in a new Function() call. It allows an attacker to craft a malicious payload to break out of the intended property lookup and inject executable code. Since new Function() evaluates the generated string as live JavaScript, this vulnerability can result in Remote Code Execution (RCE) in environments where input controlled by an attacker reaches this method.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
label-studio is vulnerable to Improper Control of Generation of Code (Code Injection) in versions 1.11.0 - 1.17.0.
How to fix this
Upgrade the label-studio library to a patch version.
Links
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant