Key Vulnerability Information Vulnerability IDs GHSL-2025-012 GHSL-2025-022 CVE-2025-43842 CVE-2025-43852 Vulnerability Types Command Injection Code Injection Deserialization of Untrusted Data Impact These vulnerabilities could lead to arbitrary command execution and remote code execution. CWEs CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-502: Deserialization of Untrusted Data Vulnerability Details 1. Command Injection in function - Variables , , and are user-supplied inputs passed to the function, which concatenates them into a command executed on the server. This could lead to arbitrary command execution. 2. Command Injection in function - Variable is user-supplied and passed to the function, which opens and reads the file path and modifies its contents. This could lead to remote code execution. 3. Deserialization of Untrusted Data in Multiple Functions - Multiple functions such as , , , , , etc., use user-supplied paths to load models or process files, which could result in deserialization of untrusted data, potentially leading to remote code execution. Disclosure Timeline 2025-05-20: Issue #16 created to request contributor contact for security disclosure. 2025-07-25: Received response from one contributor confirming the repository is not fully active. 2025-07-26: Attempted to contact again to enable private vulnerability reporting on GitHub. 2025-04-23: GitHub Security Lab assigned CVEs under the 90-day disclosure policy. ``` This summary captures key vulnerability information extracted from the web page screenshot, including vulnerability IDs, types, impact, CWE classifications, detailed vulnerability descriptions, and disclosure timeline.