AI Threat Alert
CVE-2025-0508: SageMaker SDK: MD5 collision silently replaces ML workflows
GHSA-32g6-mg92-ghm2 MEDIUM CISA: TRACK*The SageMaker Python SDK used MD5 to deduplicate workflow results, allowing two distinct pipeline configurations to resolve to the same cached output — silently substituting one workflow for another. Any team running SageMaker Pipelines should upgrade to sagemaker>=2.237.3 immediately. The integrity impact is high: wrong models, wrong preprocessing steps, or wrong training configurations could execute undetected if an adversary (or even an accidental configuration collision) triggers the hash clash.
What is the risk?
CVSS 5.9 Medium with High integrity impact but High attack complexity. EPSS is extremely low (0.05%), meaning opportunistic exploitation in the wild is unlikely in the near term. The real risk is not remote mass exploitation but targeted supply-chain or insider abuse within a controlled ML environment where an attacker can influence pipeline configuration inputs to engineer a hash collision. For organizations with SageMaker-based production ML pipelines — particularly those subject to ISO 42001 or EU AI Act audits — the integrity gap is non-trivial even at this CVSS score, since erroneous pipeline outputs may go undetected for extended periods.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| SageMaker | pip | < 2.237.3 | 2.237.3 |
Do you use SageMaker? You're affected.
How severe is it?
What is the attack surface?
What should I do?
5 steps-
Upgrade immediately: pin sagemaker>=2.237.3 in all requirements files and rebuild affected Docker images and Lambda layers.
-
Audit pipeline cache hits: review CloudWatch logs for unexpected pipeline step cache hits (CacheHitResult events) on pipelines that should have re-executed.
-
Disable pipeline caching as a temporary workaround on critical pipelines if upgrade cannot be applied immediately (set enable_caching=False on PipelineStep objects).
-
Validate model artifacts: cross-check model registry entries against expected training run IDs to detect any substituted artifacts.
-
Add integrity checks: implement SHA-256 manifest verification on pipeline artifacts at the output step as a defense-in-depth control independent of the SDK version.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2025-0508?
The SageMaker Python SDK used MD5 to deduplicate workflow results, allowing two distinct pipeline configurations to resolve to the same cached output — silently substituting one workflow for another. Any team running SageMaker Pipelines should upgrade to sagemaker>=2.237.3 immediately. The integrity impact is high: wrong models, wrong preprocessing steps, or wrong training configurations could execute undetected if an adversary (or even an accidental configuration collision) triggers the hash clash.
Is CVE-2025-0508 actively exploited?
No confirmed active exploitation of CVE-2025-0508 has been reported, but organizations should still patch proactively.
How to fix CVE-2025-0508?
1. Upgrade immediately: pin sagemaker>=2.237.3 in all requirements files and rebuild affected Docker images and Lambda layers. 2. Audit pipeline cache hits: review CloudWatch logs for unexpected pipeline step cache hits (CacheHitResult events) on pipelines that should have re-executed. 3. Disable pipeline caching as a temporary workaround on critical pipelines if upgrade cannot be applied immediately (set enable_caching=False on PipelineStep objects). 4. Validate model artifacts: cross-check model registry entries against expected training run IDs to detect any substituted artifacts. 5. Add integrity checks: implement SHA-256 manifest verification on pipeline artifacts at the output step as a defense-in-depth control independent of the SDK version.
What systems are affected by CVE-2025-0508?
This vulnerability affects the following AI/ML architecture patterns: ML training pipelines, SageMaker Pipelines with caching enabled, MLOps CI/CD automation, Model registry workflows, Batch inference pipelines.
What is the CVSS score for CVE-2025-0508?
CVE-2025-0508 has a CVSS v3.1 base score of 5.9 (MEDIUM). The EPSS exploitation probability is 0.25%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.001 AI Software AML.T0020 Poison Training Data AML.T0031 Erode AI Model Integrity Compliance Controls Affected
What are the technical details?
Original Advisory
A vulnerability in the SageMaker Workflow component of aws/sagemaker-python-sdk allows for the possibility of MD5 hash collisions in all versions. This can lead to workflows being inadvertently replaced due to the reuse of results from different configurations that produce the same MD5 hash. This issue can cause integrity problems within the pipeline, potentially leading to erroneous processing outcomes.
Exploitation Scenario
An adversary with write access to a shared SageMaker Pipeline definition (e.g., through a compromised MLOps CI/CD pipeline, a malicious pull request to an ML repo, or insider access) crafts a subtly modified pipeline configuration — different preprocessing parameters or a slightly altered training script — engineered to produce the same MD5 hash as a legitimate production pipeline configuration. When the pipeline executes, SageMaker's caching mechanism returns the previously cached result of the legitimate configuration without re-running the step. The adversary's configuration never actually executes, but its cached predecessor does — effectively laundering a stale or adversarially chosen artifact into the pipeline output. The substitution is invisible in pipeline execution logs, which show a cache hit as expected behavior.
Weaknesses (CWE)
CWE-328 — Use of Weak Hash: The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack).
- [Architecture and Design] Use an adaptive hash function that can be configured to change the amount of computational effort needed to compute the hash, such as the number of iterations ("stretching") or the amount of memory required. Some hash functions perform salting automatically. These functions can significantly increase the overhead for a brute force attack compared to intentionally-fast functions such as MD5. For example, rainbow table attacks can become infeasible due to the high computing overhead. Finally, since computing power gets faster and cheaper over time, the technique can be reconfigured to increase the workload without forcing an entire replacement of the algorithm in use. Some hash functions that have one or more of these desired properties include bcrypt [REF-291], scrypt [REF-292], and PBKDF2 [REF-293]. While there is active debate about which of these is the most effective, they are all stronger than using salts with hash functions with very little computing overhead. Note that using thes
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N References
Timeline
Related Vulnerabilities
CVE-2026-1777 7.2 sagemaker: security flaw enables exploitation
Same package: sagemaker CVE-2026-8597 7.2 SageMaker: RCE via poisoned Triton model artifacts in S3
Same package: sagemaker CVE-2026-8596 7.2 SageMaker SDK: cleartext HMAC key enables model artifact RCE
Same package: sagemaker CVE-2026-1778 5.9 sagemaker: security flaw enables exploitation
Same package: sagemaker GHSA-5r2p-pjr8-7fh7 sagemaker: Allowlist Bypass evades input filtering
Same package: sagemaker