CVE-2025-0508 — SageMaker Workflow component allows possibility of MD5 hash collisions

Description

A vulnerability in the SageMaker Workflow component of aws/sagemaker-python-sdk allows for the possibility of MD5 hash collisions in all versions. This can lead to workflows being inadvertently replaced due to the reuse of results from different configurations that produce the same MD5 hash. This issue can cause integrity problems within the pipeline, potentially leading to erroneous processing outcomes.

How to fix CVE-2025-0508

To remediate CVE-2025-0508, upgrade the affected package to a fixed version below.

—upgrade to 2.237.3 or later

Is CVE-2025-0508 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.237.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.9	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-0508
PATCHgithub.com/aws/sagemaker-python-sdk
WEBgithub.com/aws/sagemaker-python-sdk/commit/dcdd99f911e8b1a05d19cf1ad939b0fefae47864
WEBhuntr.com/bounties/eb056818-5b81-466f-81ee-916058d34af2