TorchGeo Code Injection Risk: Untrusted Input Executes Malicious Code

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

8.1

TorchGeo Code Injection Risk: Untrusted Input Executes Malicious Code

GHSA-g5vp-j278-8pjh CVE-2024-49048 GHSA-ghq9-vc6f-8qjf GHSA-g5vp-j278-8pjh PYSEC-2024-204

Summary

TorchGeo, a Python library for geospatial data, has a vulnerability that allows an attacker to inject malicious code. This could happen if an attacker sends specially crafted data to a web application that uses TorchGeo. To protect your application, update TorchGeo to the latest version or use a secure data validation process.

What to do

Update torchgeo to version 0.6.1.

Affected software

Vendor	Product	Affected versions	Fix available
–	torchgeo	<= 0.6.1	0.6.1
microsoft	torchgeo	<= 0.6.1	–
–	torchgeo	> 0.4 , <= 0.6.0	0.6.1
–	torchgeo	<= 0.6.1	0.6.1

Original title

TorchGeo Remote Code Execution Vulnerability

Original description

## Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-ghq9-vc6f-8qjf. This link is maintained to preserve external references.

## Original Description
TorchGeo Remote Code Execution Vulnerability

ghsa CVSS3.1 8.1

Vulnerability type

CWE-94 Code Injection

CWE-95

Published: 12 Nov 2024 · Updated: 1 Apr 2026 · First seen: 6 Mar 2026