Intel

AIKIDO-2026-432726

sagemaker is vulnerable to Code Injection

Code Injection Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Today

80

High Risk

This Affects:

PYTHONsagemaker
2.199.0 - 3.11.0
Fixed in 3.12.0
Are you affected? Scan for Free

TL;DR

The capture_dependencies function in the sagemaker SDK's serve implementation interpolates dependency directory paths into generated Python source without escaping them. When ModelBuilder is invoked with dependencies={"auto": True}, an attacker who controls a directory name in the Python environment can inject arbitrary code into the generated source, which is subsequently executed in the context of the build process. The fix escapes interpolated path content before embedding it into the generated source.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application uses ModelBuilder with dependencies={"auto": True} in an environment where directory or path names can be influenced by an attacker.

Background info

sagemaker is vulnerable to Code Injection in versions 2.199.0 - 3.11.0.

How to fix this

Upgrade the sagemaker library to the patch version.