High severity8.8NVD Advisory· Published Mar 20, 2025· Updated Apr 15, 2026

CVE-2024-12215

Description

In kedro-org/kedro version 0.19.8, the pull_package() API function allows users to download and extract micro packages from the Internet. However, the function project_wheel_metadata() within the code path can execute the setup.py file inside the tar file, leading to remote code execution (RCE) by running arbitrary commands on the victim's machine.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
kedroPyPI	<= 0.19.8	—

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-rm69-wvpv-r2w7ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-12215ghsaADVISORY
huntr.com/bounties/fad27503-97a4-4933-91d4-96223b8c54d8nvdWEB

News mentions

No linked articles in our index yet.

cvss	0.572
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000