Kedro has Arbitrary Code Execution via Malicious Logging Configuration
🔗 CVE IDs covered (1)
📋 Description
Impact
This is a critical remote code execution (RCE) vulnerability caused by unsafe use of logging.config.dictConfig() with user-controlled input.
Kedro allows the logging configuration file path to be set via the KEDRO_LOGGING_CONFIG environment variable and loads it without validation. The logging configuration schema supports the special () key, which enables arbitrary callable instantiation. An attacker can exploit this to execute arbitrary system commands during application startup.
Patches
The vulnerability is fixed by introducing validation that rejects the unsafe () factory key in logging configurations before passing them to dictConfig().
Fixed in
- Kedro 1.3.0
Users should upgrade to this version as soon as possible.
Workarounds
If upgrading is not immediately possible:
- Do not allow untrusted input to control the
KEDRO_LOGGING_CONFIGenvironment variable - Restrict write access to logging configuration files
- Avoid using externally supplied or dynamically generated logging configs
- Manually validate logging YAML to ensure it does not contain the
()key
These mitigations reduce risk but do not fully eliminate it.
References
- Python logging configuration documentation: https://docs.python.org/3/library/logging.config.html#logging-config-dictschema
- CWE-94: Code Injection — https://cwe.mitre.org/data/definitions/94.html
🎯 Affected products1
- pip/kedro:< 1.3.0