GHSA-ghq9-vc6f-8qjf: TorchGeo Remote Code Execution Vulnerability
Summary
TorchGeo versions 0.4–0.6.0 had a critical vulnerability where the `eval` function (a Python function that executes code from text input) was used in the model weight API, allowing attackers to run arbitrary commands on systems using the library. Any platform exposing TorchGeo's get_weight() or trainers functions publicly was at risk.
Solution / Mitigation
The `eval` statement was replaced with a fixed enum lookup (a safer way to match input to predefined options). Users are encouraged to upgrade to TorchGeo 0.6.1 or newer. For unpatched versions, input validation and sanitization (checking and cleaning user input before processing) can be used to avoid the vulnerability.
Vulnerability Details
EPSS: 0.5%
Yes
March 31, 2026
Classification
Taxonomy References
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-ghq9-vc6f-8qjf
First tracked: April 1, 2026 at 02:00 AM
Classified by LLM (prompt v3) · confidence: 95%