cbcvebase.
CVE-2022-31188
published 2022-08-01

CVE-2022-31188: CVAT is an opensource interactive video and image annotation tool for computer vision. Versions prior to 2.0.0 were found to be subject to a Server-side…

PriorityP277critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
47.85%
98.7th percentile
CVAT is an opensource interactive video and image annotation tool for computer vision. Versions prior to 2.0.0 were found to be subject to a Server-side request forgery (SSRF) vulnerability. Validation has been added to urls used in the affected code path in version 2.0.0. Users are advised to upgrade. There are no known workarounds for this issue.

Affected

2 ranges
VendorProductVersion rangeFixed in
cvat-aicvat< 2.0.02.0.0
cvatcomputer_vision_annotation_tool< 2.0.02.0.0

Detection & IOCsextracted from sources · hover to see the quote

url/api/v1/tasks/2/data
commandPOST /api/v1/tasks/{id}/data with multipart field remote files[0]=http://<internal-host>:<port>
  • Detect SSRF exploitation attempts by monitoring POST requests to the CVAT API endpoint /api/v1/tasks/*/data containing a multipart form field named 'remote files[0]' with internal/loopback URLs (e.g., http://localhost, http://127.0.0.1, http://169.254.x.x, RFC-1918 ranges).
  • Alert on POST requests to /api/v1/tasks/<id>/data with Content-Type multipart/form-data where the body contains 'remote files' fields pointing to non-public/internal network addresses — this is the specific code path vulnerable to SSRF in CVAT versions prior to 2.0.0.
  • Flag CVAT instances running version prior to 2.0.0 (tested on 1.7.0) as vulnerable; correlate with inbound POST requests to /api/v1/tasks/*/data using remote file URL parameters.
  • ·The exploit uses a local/loopback SSRF target (localhost:8081) for demonstration; in real attacks the 'remote files[0]' value may point to any internal network resource, cloud metadata endpoints (169.254.169.254), or other SSRF targets — detection rules must cover the full internal address space, not just localhost.
  • ·The vulnerability is fixed in CVAT 2.0.0 via URL validation on the affected code path; however the exploit title references '2.0' which may cause confusion — the vulnerable range is strictly versions PRIOR TO 2.0.0.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.