CVE-2025-0508: 
Python vulnerability analysis and mitigation

A vulnerability in the SageMaker Workflow component of aws/sagemaker-python-sdk allows for the possibility of MD5 hash collisions in all versions. This vulnerability was discovered and disclosed on March 20, 2025, and is tracked as CVE-2025-0508. The issue affects all versions of the aws/sagemaker-python-sdk package that use MD5 hashing for workflow configurations (NVD).

The vulnerability stems from the use of MD5 hashing algorithm in the workflow component for generating hashes of configurations. Due to the cryptographic weaknesses of MD5, different configurations could produce the same hash value, leading to hash collisions. The vulnerability has been assigned a CVSS v3.0 base score of 5.9 (MEDIUM) with a vector of CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N, indicating that while the attack complexity is high, it requires no privileges or user interaction (NVD, GitHub Commit).

The vulnerability can lead to workflows being inadvertently replaced due to the reuse of results from different configurations that produce the same MD5 hash. This can cause integrity problems within the pipeline, potentially leading to erroneous processing outcomes (NVD).

A fix has been implemented that replaces the MD5 hashing algorithm with SHA256 for file hashing throughout the codebase. The change affects multiple functions including hashobject, hashfile, and hashfilesor_dirs (GitHub Commit).