Label Studio SDK Path Traversal Vulnerability Allowing Arbitrary File Reads

A path traversal vulnerability has been identified in Label Studio SDK versions prior to 1.0.10. This vulnerability allows unauthorized access to files outside the intended directory structure, particularly during the export of projects in VOC, COCO, and YOLO formats. The issue arises because the export functionalities do not properly validate file paths when processing image references, enabling attackers to exploit the vulnerability by injecting path traversal sequences. This vulnerability requires authentication and could lead to the exposure of sensitive information such as configuration files, credentials, and other confidential data.

Impact

Exploitation of this vulnerability could result in unauthorized access to arbitrary files on the server, including sensitive information like passwords and configuration files.

Reproduction

To reproduce this vulnerability, log into Label Studio and create a project with an image labeling configuration. Upload an image to trigger the creation of the 'data/media/upload' directory. Then, create a task that includes a path traversal sequence in the image field, targeting either the 'is_uploaded_file' or 'is_local_file' code paths. After the task is created, export the project using one of the vulnerable formats (VOC, COCO, or YOLO). The exported file will contain the contents of the targeted file from the server's filesystem, such as '/etc/passwd'.

Remediation

Users should upgrade to Label Studio version 1.16.0 or newer. Additionally, it's recommended to validate and sanitize file paths, implement file access controls, and use secure file storage practices.