AI Threat Alert AI Threat Alert

CVE-2025-0508: SageMaker SDK: MD5 collision silently replaces ML workflows

GHSA-32g6-mg92-ghm2 MEDIUM CISA: TRACK*
Published March 20, 2025
CISO Take

The SageMaker Python SDK used MD5 to deduplicate workflow results, allowing two distinct pipeline configurations to resolve to the same cached output — silently substituting one workflow for another. Any team running SageMaker Pipelines should upgrade to sagemaker>=2.237.3 immediately. The integrity impact is high: wrong models, wrong preprocessing steps, or wrong training configurations could execute undetected if an adversary (or even an accidental configuration collision) triggers the hash clash.

Risk Assessment

CVSS 5.9 Medium with High integrity impact but High attack complexity. EPSS is extremely low (0.05%), meaning opportunistic exploitation in the wild is unlikely in the near term. The real risk is not remote mass exploitation but targeted supply-chain or insider abuse within a controlled ML environment where an attacker can influence pipeline configuration inputs to engineer a hash collision. For organizations with SageMaker-based production ML pipelines — particularly those subject to ISO 42001 or EU AI Act audits — the integrity gap is non-trivial even at this CVSS score, since erroneous pipeline outputs may go undetected for extended periods.

Affected Systems

Package Ecosystem Vulnerable Range Patched
sagemaker pip < 2.237.3 2.237.3
51 dependents 100% patched ~53d to patch Full package profile →

Do you use sagemaker? You're affected.

Severity & Risk

CVSS 3.1
5.9 / 10
EPSS
0.1%
chance of exploitation in 30 days
Higher than 33% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Advanced
Exploitation Confidence
medium
CISA SSVC: Public PoC
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Network
AC High
PR None
UI None
S Unchanged
C None
I High
A None

Recommended Action

5 steps

  1. Upgrade immediately: pin sagemaker>=2.237.3 in all requirements files and rebuild affected Docker images and Lambda layers.

  2. Audit pipeline cache hits: review CloudWatch logs for unexpected pipeline step cache hits (CacheHitResult events) on pipelines that should have re-executed.

  3. Disable pipeline caching as a temporary workaround on critical pipelines if upgrade cannot be applied immediately (set enable_caching=False on PipelineStep objects).

  4. Validate model artifacts: cross-check model registry entries against expected training run IDs to detect any substituted artifacts.

  5. Add integrity checks: implement SHA-256 manifest verification on pipeline artifacts at the output step as a defense-in-depth control independent of the SDK version.

CISA SSVC Assessment

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Supply Chain Model Poisoning Framework Training Data AML.T0010.001 AML.T0020 AML.T0031

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 10 - Data and Data Governance Article 9 - Risk Management System
ISO 42001
8.4 - AI System Lifecycle — Data and Model Integrity
NIST AI RMF
MANAGE 2.2 - Mechanisms to Sustain Deployed AI System Value MEASURE 2.5 - AI System Trustworthiness — Integrity Testing

Frequently Asked Questions

What is CVE-2025-0508?

The SageMaker Python SDK used MD5 to deduplicate workflow results, allowing two distinct pipeline configurations to resolve to the same cached output — silently substituting one workflow for another. Any team running SageMaker Pipelines should upgrade to sagemaker>=2.237.3 immediately. The integrity impact is high: wrong models, wrong preprocessing steps, or wrong training configurations could execute undetected if an adversary (or even an accidental configuration collision) triggers the hash clash.

Is CVE-2025-0508 actively exploited?

No confirmed active exploitation of CVE-2025-0508 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-0508?

1. Upgrade immediately: pin sagemaker>=2.237.3 in all requirements files and rebuild affected Docker images and Lambda layers. 2. Audit pipeline cache hits: review CloudWatch logs for unexpected pipeline step cache hits (CacheHitResult events) on pipelines that should have re-executed. 3. Disable pipeline caching as a temporary workaround on critical pipelines if upgrade cannot be applied immediately (set enable_caching=False on PipelineStep objects). 4. Validate model artifacts: cross-check model registry entries against expected training run IDs to detect any substituted artifacts. 5. Add integrity checks: implement SHA-256 manifest verification on pipeline artifacts at the output step as a defense-in-depth control independent of the SDK version.

What systems are affected by CVE-2025-0508?

This vulnerability affects the following AI/ML architecture patterns: ML training pipelines, SageMaker Pipelines with caching enabled, MLOps CI/CD automation, Model registry workflows, Batch inference pipelines.

What is the CVSS score for CVE-2025-0508?

CVE-2025-0508 has a CVSS v3.1 base score of 5.9 (MEDIUM). The EPSS exploitation probability is 0.14%.

Technical Details

NVD Description

A vulnerability in the SageMaker Workflow component of aws/sagemaker-python-sdk allows for the possibility of MD5 hash collisions in all versions. This can lead to workflows being inadvertently replaced due to the reuse of results from different configurations that produce the same MD5 hash. This issue can cause integrity problems within the pipeline, potentially leading to erroneous processing outcomes.

Exploitation Scenario

An adversary with write access to a shared SageMaker Pipeline definition (e.g., through a compromised MLOps CI/CD pipeline, a malicious pull request to an ML repo, or insider access) crafts a subtly modified pipeline configuration — different preprocessing parameters or a slightly altered training script — engineered to produce the same MD5 hash as a legitimate production pipeline configuration. When the pipeline executes, SageMaker's caching mechanism returns the previously cached result of the legitimate configuration without re-running the step. The adversary's configuration never actually executes, but its cached predecessor does — effectively laundering a stale or adversarially chosen artifact into the pipeline output. The substitution is invisible in pipeline execution logs, which show a cache hit as expected behavior.

Weaknesses (CWE)

CWE-328 Use of Weak Hash Primary CWE-440 Expected Behavior Violation Primary

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References

Timeline

Published
March 20, 2025
Last Modified
October 15, 2025
First Seen
March 24, 2026

Related Vulnerabilities

HIGH CVE-2026-1777 7.2

sagemaker: security flaw enables exploitation

Same package: sagemaker
MEDIUM CVE-2026-1778 5.9

sagemaker: security flaw enables exploitation

Same package: sagemaker
HIGH GHSA-5r2p-pjr8-7fh7

sagemaker: Allowlist Bypass evades input filtering

Same package: sagemaker
CRITICAL CVE-2024-2912 10.0

BentoML: RCE via insecure deserialization (CVSS 10)

Same attack type: Supply Chain
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same attack type: Supply Chain
Back to Threat Feed