CVE-2024-9701: 
Python vulnerability analysis and mitigation

A Remote Code Execution (RCE) vulnerability has been identified in the Kedro ShelveStore class (version 0.19.8). The vulnerability, tracked as CVE-2024-9701, was discovered and disclosed on March 20, 2025. The vulnerability affects the Kedro framework's session management functionality, specifically the ShelveStore class which is responsible for managing session data (NVD).

The vulnerability stems from the ShelveStore class's use of Python's shelve module for session data management, which relies on pickle for serialization. The core issue lies in the deserialization of untrusted data, classified as CWE-502 (Deserialization of Untrusted Data). The vulnerability has received a CVSS v3.0 base score of 9.8 (CRITICAL) with the vector string CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating its severe nature (NVD).

The vulnerability allows attackers to execute arbitrary Python code through the deserialization of malicious payloads, potentially leading to a full system compromise. When exploited, an attacker can gain complete control over the affected system through the deserialization process (NVD).

The Kedro development team has addressed this vulnerability by completely removing the ShelveStore class from the codebase. This change was implemented through a commit that removes the vulnerable component entirely (GitHub Commit).