AI Threat Alert AI Threat Alert

CVE-2024-49048: TorchGeo: RCE via code injection in geospatial ML lib

GHSA-ghq9-vc6f-8qjf HIGH
Published November 12, 2024
CISO Take

CVE-2024-49048 is a remote code execution flaw in Microsoft's TorchGeo geospatial ML library (all versions before 0.6.1), exploitable by a network attacker without credentials — though high attack complexity limits opportunistic exploitation. Organizations running satellite imagery analysis, remote sensing, or environmental AI pipelines that depend on TorchGeo must patch to v0.6.1 immediately. EPSS is low (0.5%) and no KEV inclusion, but unauthenticated RCE with full CIA impact warrants prompt remediation regardless.

Risk Assessment

CVSS 8.1 (High) with AV:N/AC:H/PR:N/UI:N/C:H/I:H/A:H. The high attack complexity (AC:H) is the primary mitigating factor — exploitation likely requires the adversary to control or serve malicious input data (e.g., crafted geospatial dataset files) consumed by TorchGeo. No privilege escalation or user interaction required makes it attractive for targeted attacks against AI pipelines with external data ingestion. EPSS of 0.5% indicates low current exploitation activity, but the absence of evidence is not evidence of absence given the niche deployment context.

Affected Systems

Package Ecosystem Vulnerable Range Patched
torchgeo pip >= 0.4, <= 0.6.0 0.6.1

Do you use torchgeo? You're affected.

Severity & Risk

CVSS 3.1
8.1 / 10
EPSS
0.6%
chance of exploitation in 30 days
Higher than 71% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Moderate

Attack Surface

AV AC PR UI S C I A
AV Network
AC High
PR None
UI None
S Unchanged
C High
I High
A High

Recommended Action

5 steps

  1. PATCH

    Upgrade torchgeo to >= 0.6.1 immediately (pip install --upgrade torchgeo). Review pinned versions in requirements.txt, Pipfile, and pyproject.toml across all ML environments.

  2. AUDIT

    Inventory all environments (dev, staging, prod, notebooks, CI/CD) where torchgeo is installed — run pip show torchgeo | grep Version.

  3. HARDEN

    Restrict external dataset ingestion paths; validate and sandbox geospatial file processing (GeoTIFF, Shapefile, HDF5) before loading into TorchGeo.

  4. ISOLATE

    Run TorchGeo data loading in sandboxed containers with no network egress and minimal filesystem access.

  5. DETECT

    Alert on unexpected network connections or process spawning from Python ML training jobs. Monitor for anomalous subprocess execution in ML workloads.

CISA SSVC Assessment

Decision Track
Exploitation none
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Supply Chain Framework Training Data AML.T0010.001 AML.T0010.002 AML.T0049 AML.T0050 AML.T0072

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.3 - AI system security and resilience
NIST AI RMF
GOVERN 1.7 - Processes and procedures are in place for decommissioning and phasing out AI systems MANAGE 2.2 - Mechanisms are in place and applied to sustain the value of deployed AI systems
OWASP LLM Top 10
LLM09:2025 - Misinformation / Overreliance on Third-Party Dependencies

Frequently Asked Questions

What is CVE-2024-49048?

CVE-2024-49048 is a remote code execution flaw in Microsoft's TorchGeo geospatial ML library (all versions before 0.6.1), exploitable by a network attacker without credentials — though high attack complexity limits opportunistic exploitation. Organizations running satellite imagery analysis, remote sensing, or environmental AI pipelines that depend on TorchGeo must patch to v0.6.1 immediately. EPSS is low (0.5%) and no KEV inclusion, but unauthenticated RCE with full CIA impact warrants prompt remediation regardless.

Is CVE-2024-49048 actively exploited?

No confirmed active exploitation of CVE-2024-49048 has been reported, but organizations should still patch proactively.

How to fix CVE-2024-49048?

1. PATCH: Upgrade torchgeo to >= 0.6.1 immediately (`pip install --upgrade torchgeo`). Review pinned versions in requirements.txt, Pipfile, and pyproject.toml across all ML environments. 2. AUDIT: Inventory all environments (dev, staging, prod, notebooks, CI/CD) where torchgeo is installed — run `pip show torchgeo | grep Version`. 3. HARDEN: Restrict external dataset ingestion paths; validate and sandbox geospatial file processing (GeoTIFF, Shapefile, HDF5) before loading into TorchGeo. 4. ISOLATE: Run TorchGeo data loading in sandboxed containers with no network egress and minimal filesystem access. 5. DETECT: Alert on unexpected network connections or process spawning from Python ML training jobs. Monitor for anomalous subprocess execution in ML workloads.

What systems are affected by CVE-2024-49048?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, data preprocessing pipelines, batch inference pipelines, ML platform environments (SageMaker, Azure ML, Vertex AI).

What is the CVSS score for CVE-2024-49048?

CVE-2024-49048 has a CVSS v3.1 base score of 8.1 (HIGH). The EPSS exploitation probability is 0.65%.

Technical Details

NVD Description

TorchGeo Remote Code Execution Vulnerability

Exploitation Scenario

An adversary targets an organization running automated satellite imagery pipelines that pull external GeoTIFF or dataset archives from a third-party data provider. The attacker compromises or impersonates the data source (supply chain or MITM) and serves a crafted geospatial dataset file containing injected code. When the TorchGeo data loader processes the malicious file — during dataset instantiation or transform application — the injected code executes in the context of the ML training job. With no authentication barrier and the full CIA triad exposed, the attacker can exfiltrate model weights, training data, cloud credentials stored in the runtime environment, or deploy a reverse shell for persistent access. Given TorchGeo's use in defense and intelligence geospatial applications, the targeted attack surface is high-value.

Weaknesses (CWE)

CWE-94 Improper Control of Generation of Code ('Code Injection') Primary CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') Primary

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
November 12, 2024
Last Modified
April 1, 2026
First Seen
March 24, 2026

Related Vulnerabilities

CRITICAL CVE-2025-59528 10.0

Flowise: Unauthenticated RCE via MCP config injection

Same attack type: Supply Chain
CRITICAL CVE-2024-2912 10.0

BentoML: RCE via insecure deserialization (CVSS 10)

Same attack type: Supply Chain
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same attack type: Supply Chain
CRITICAL CVE-2025-5120 10.0

smolagents: sandbox escape enables unauthenticated RCE

Same attack type: Supply Chain
CRITICAL CVE-2026-21858 10.0

n8n: Input Validation flaw enables exploitation

Same attack type: Code Execution
Back to Threat Feed