PyPI: sagemaker

CVE-2024-34073

Safety vulnerability ID: SFTY-20240503-11800

Safety legacy ID: pyup.io-71630

Affected versions of the sagemaker package are vulnerable to OS Command Injection due to improper handling of the `requirements_path` parameter. The `capture_dependencies` function in the `sagemaker.serve.save_retrive.version_1_0_0.save.utils` module executes system commands based on user input without adequate validation or sanitization. An attacker can exploit this by supplying a malicious command as the "requirements_path" parameter, potentially leading to Remote Code Execution, Denial of Service, and compromising both confidentiality and integrity.

PythonPyPINVDNVDGitHubGHSA
Created at: May 22, 2026Updated at: May 22, 2026

Overview

sagemaker-python-sdk Command Injection vulnerability

Advisory

Affected versions of the sagemaker package are vulnerable to OS Command Injection due to improper handling of the `requirements_path` parameter. The `capture_dependencies` function in the `sagemaker.serve.save_retrive.version_1_0_0.save.utils` module executes system commands based on user input without adequate validation or sanitization. An attacker can exploit this by supplying a malicious command as the "requirements_path" parameter, potentially leading to Remote Code Execution, Denial of Service, and compromising both confidentiality and integrity.

Affected Package

Affecting sagemaker package, versions
>=2.199.0,<2.214.3

Also affects

---

How to Fix

Upgrade
sagemaker
to
2.214.3
or higher.

Mitigation and Workarounds

---

Vulnerable Functions

Functions linked to known vulnerabilities.

Vulnerable function data is available for Enterprise customers

Book a call with us to see Safety in action.

References

Safety

Verified by Safety

Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.

Learn more