CVE-2026-31235
CriticalSummary
The imgaug library through version 0.4.0 contains an insecure deserialization vulnerability in its BackgroundAugmenter class within the multicore.py module. This class uses Python's pickle module to deserialize data from a multiprocessing queue without any safety checks.
Risk Assessment
An attacker who can influence the data in this queue can provide a malicious pickle payload, leading to arbitrary code execution in the context of the worker process. This may result in remote or local code execution depending on the deployment scenario.
Recommendation
It is recommended to update the imgaug library to the latest version to mitigate this vulnerability. Additionally, avoid deserializing data from untrusted sources.
Original NVD description (English source)
The imgaug library thru 0.4.0 contains an insecure deserialization vulnerability in its BackgroundAugmenter class within the multicore.py module. The class uses Python's pickle module to deserialize data received via a multiprocessing queue in the _augment_images_worker() method without any safety checks. An attacker who can influence the data placed into this queue (e.g., through social engineering, malicious input scripts, or a compromised shared queue) can provide a malicious pickle payload. When deserialized, this payload can execute arbitrary code in the context of the worker process, leading to remote or local code execution depending on the deployment scenario.

