CVE-2024-49048: TorchGeo RCE via code injection

CISO Take

CVE-2024-49048 is a remote code execution flaw in Microsoft's TorchGeo geospatial ML library (all versions before 0.6.1), exploitable by a network attacker without credentials — though high attack complexity limits opportunistic exploitation. Organizations running satellite imagery analysis, remote sensing, or environmental AI pipelines that depend on TorchGeo must patch to v0.6.1 immediately. EPSS is low (0.5%) and no KEV inclusion, but unauthenticated RCE with full CIA impact warrants prompt remediation regardless.

What is the risk?

CVSS 8.1 (High) with AV:N/AC:H/PR:N/UI:N/C:H/I:H/A:H. The high attack complexity (AC:H) is the primary mitigating factor — exploitation likely requires the adversary to control or serve malicious input data (e.g., crafted geospatial dataset files) consumed by TorchGeo. No privilege escalation or user interaction required makes it attractive for targeted attacks against AI pipelines with external data ingestion. EPSS of 0.5% indicates low current exploitation activity, but the absence of evidence is not evidence of absence given the niche deployment context.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
TorchGeo	pip	>= 0.4, <= 0.6.0	`0.6.1`
4.1K OpenSSF 5.8 15 dependents Pushed 3d ago 100% patched ~504d to patch Full package profile →

Do you use TorchGeo? You're affected.

How severe is it?

CVSS 3.1

8.1 / 10

EPSS

1.2%

chance of exploitation in 30 days

Higher than 65% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

What is the attack surface?

AV Network

AC High

PR None

UI None

S Unchanged

C High

I High

A High

What should I do?

5 steps

PATCH

Upgrade torchgeo to >= 0.6.1 immediately (pip install --upgrade torchgeo). Review pinned versions in requirements.txt, Pipfile, and pyproject.toml across all ML environments.
AUDIT

Inventory all environments (dev, staging, prod, notebooks, CI/CD) where torchgeo is installed — run pip show torchgeo | grep Version.
HARDEN

Restrict external dataset ingestion paths; validate and sandbox geospatial file processing (GeoTIFF, Shapefile, HDF5) before loading into TorchGeo.
ISOLATE

Run TorchGeo data loading in sandboxed containers with no network egress and minimal filesystem access.
DETECT

Alert on unexpected network connections or process spawning from Python ML training jobs. Monitor for anomalous subprocess execution in ML workloads.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Supply Chain Framework Training Data AML.T0010.001 - AI Software AML.T0010.002 - Data AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0072 - Reverse Shell

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.3 - AI system security and resilience

NIST AI RMF

GOVERN 1.7 - Processes and procedures are in place for decommissioning and phasing out AI systems MANAGE 2.2 - Mechanisms are in place and applied to sustain the value of deployed AI systems

OWASP LLM Top 10

LLM09:2025 - Misinformation / Overreliance on Third-Party Dependencies

Frequently Asked Questions

What is CVE-2024-49048?

CVE-2024-49048 is a remote code execution flaw in Microsoft's TorchGeo geospatial ML library (all versions before 0.6.1), exploitable by a network attacker without credentials — though high attack complexity limits opportunistic exploitation. Organizations running satellite imagery analysis, remote sensing, or environmental AI pipelines that depend on TorchGeo must patch to v0.6.1 immediately. EPSS is low (0.5%) and no KEV inclusion, but unauthenticated RCE with full CIA impact warrants prompt remediation regardless.

Is CVE-2024-49048 actively exploited?

No confirmed active exploitation of CVE-2024-49048 has been reported, but organizations should still patch proactively.

How to fix CVE-2024-49048?

1. PATCH: Upgrade torchgeo to >= 0.6.1 immediately (`pip install --upgrade torchgeo`). Review pinned versions in requirements.txt, Pipfile, and pyproject.toml across all ML environments. 2. AUDIT: Inventory all environments (dev, staging, prod, notebooks, CI/CD) where torchgeo is installed — run `pip show torchgeo | grep Version`. 3. HARDEN: Restrict external dataset ingestion paths; validate and sandbox geospatial file processing (GeoTIFF, Shapefile, HDF5) before loading into TorchGeo. 4. ISOLATE: Run TorchGeo data loading in sandboxed containers with no network egress and minimal filesystem access. 5. DETECT: Alert on unexpected network connections or process spawning from Python ML training jobs. Monitor for anomalous subprocess execution in ML workloads.

What systems are affected by CVE-2024-49048?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, data preprocessing pipelines, batch inference pipelines, ML platform environments (SageMaker, Azure ML, Vertex AI).

What is the CVSS score for CVE-2024-49048?

CVE-2024-49048 has a CVSS v3.1 base score of 8.1 (HIGH). The EPSS exploitation probability is 1.22%.

What is the AI security impact?

Affected AI Architectures

training pipelinesdata preprocessing pipelinesbatch inference pipelinesML platform environments (SageMaker, Azure ML, Vertex AI)

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0010.002 Data

AML.T0049 Exploit Public-Facing Application

AML.T0050 Command and Scripting Interpreter

AML.T0072 Reverse Shell

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2.3

NIST AI RMF: GOVERN 1.7, MANAGE 2.2

OWASP LLM Top 10: LLM09:2025

What are the technical details?

Original Advisory

TorchGeo Remote Code Execution Vulnerability

Exploitation Scenario

An adversary targets an organization running automated satellite imagery pipelines that pull external GeoTIFF or dataset archives from a third-party data provider. The attacker compromises or impersonates the data source (supply chain or MITM) and serves a crafted geospatial dataset file containing injected code. When the TorchGeo data loader processes the malicious file — during dataset instantiation or transform application — the injected code executes in the context of the ML training job. With no authentication barrier and the full CIA triad exposed, the attacker can exfiltrate model weights, training data, cloud credentials stored in the runtime environment, or deploy a reverse shell for persistent access. Given TorchGeo's use in defense and intelligence geospatial applications, the targeted attack surface is high-value.

Weaknesses (CWE)

CWE-94 Improper Control of Generation of Code ('Code Injection') Primary CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') Primary

CWE-94 — Improper Control of Generation of Code ('Code Injection'): The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

[Architecture and Design] Refactor your program so that you do not have to dynamically generate code.
[Architecture and Design] Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.

Source: MITRE CWE corpus.