Summary
Public advisory GHSA-g82g-j283-hj97 / CVE-2026-31235 reports insecure deserialization in BackgroundAugmenter (imgaug/multicore.py): _augment_images_worker() unpickles data from a multiprocessing queue without validation.
Affected: all releases through 0.4.0 (current PyPI latest).
Impact (brief)
CWE-502 — if an attacker can influence queue payloads, a malicious pickle can execute arbitrary code in the worker process.
References
Maintainer request
- Please acknowledge this report.
- Please indicate whether a patched release (e.g. 0.4.1+) is planned, or if the project is unmaintained.
- If no patch is planned, guidance to remove/replace the library would help downstream users.
Note: Private vulnerability reporting is not enabled on this repository (GitHub API returned 403), so this is filed as a public issue for visibility. No exploit/PoC is included; I can share further technical detail privately if needed (kontakt@ajung.name or reply here).
Summary
Public advisory GHSA-g82g-j283-hj97 / CVE-2026-31235 reports insecure deserialization in
BackgroundAugmenter(imgaug/multicore.py):_augment_images_worker()unpickles data from a multiprocessing queue without validation.Affected: all releases through 0.4.0 (current PyPI latest).
Impact (brief)
CWE-502 — if an attacker can influence queue payloads, a malicious pickle can execute arbitrary code in the worker process.
References
Maintainer request