AIKIDO-2025-10650
mage-ai is vulnerable to Initialization of a Resource with an Insecure Default
61
Medium Risk
This Affects:
mage-aiTL;DR
Affected versions of this package ship with an insecure default for the REQUIRE_USER_AUTHENTICATION setting. An attacker can initiate this remotely; while exploitation is reported to be non-trivial (higher complexity) and considered difficult in practice, a public disclosure exists and may enable real-world abuse.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
mage-ai is vulnerable to Initialization of a Resource with an Insecure Default in versions 0.7.90 - 0.9.77.
How to fix this
Upgrade the mage-ai library to the patch version or set REQUIRE_USER_AUTHENTICATION to true.
Links
GitHub Release
Other
github.com/zn9988/publications/blob/main/2.Mage-AI%20-%20Insecure%20Default%20Authentication%20Setup%20Leading%20to%20Zero-Click%20RCE/README.md
vuldb.com/?ctiid.299049vuldb.com/?id.299049vuldb.com/?submit.510690
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant