CVE-2025-58756
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-09

Last updated on: 2025-09-19

Assigner: GitHub, Inc.

Description
MONAI (Medical Open Network for AI) is an AI toolkit for health care imaging. In versions up to and including 1.5.0, in `model_dict = torch.load(full_path, map_location=torch.device(device), weights_only=True)` in monai/bundle/scripts.py , `weights_only=True` is loaded securely. However, insecure loading methods still exist elsewhere in the project, such as when loading checkpoints. This is a common practice when users want to reduce training time and costs by loading pre-trained models downloaded from other platforms. Loading a checkpoint containing malicious content can trigger a deserialization vulnerability, leading to code execution. As of time of publication, no known fixed versions are available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-09
Last Modified
2025-09-19
Generated
2026-06-16
AI Q&A
2025-09-09
EPSS Evaluated
2026-06-15
NVD
CVE-2025-58756
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
monai medical_open_network_for_ai to 1.5.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in MONAI arises from insecure deserialization when loading model checkpoints using PyTorch's torch.load function without the secure parameter weights_only=True. Attackers can craft malicious checkpoint files that, when loaded, execute arbitrary code on the host system. Although some parts of MONAI use secure loading, other parts still load checkpoints insecurely, allowing remote attackers to run arbitrary commands via deserialization of untrusted data. [1]

Impact Analysis

The vulnerability allows an attacker to execute arbitrary commands on the host system remotely without user interaction, potentially compromising confidentiality, integrity, and availability of the system. This can lead to unauthorized access, data manipulation, or disruption of services, especially if untrusted checkpoints are loaded to reduce training time or costs. [1]

Detection Guidance

This vulnerability can be detected by checking for the presence of files created by the proof-of-concept exploit, such as the file '/tmp/hacker2.txt', which indicates arbitrary code execution via malicious checkpoint loading. Additionally, monitoring for unexpected file creations or suspicious activity during checkpoint loading in MONAI could help detect exploitation attempts. Specific commands to check for the proof-of-concept artifact include: `ls /tmp/hacker2.txt` to see if the file exists. Monitoring logs or using system auditing tools to detect unexpected executions during model checkpoint loading is also recommended. [1]

Mitigation Strategies

Immediate mitigation steps include using safe loading methods that enforce the parameter `weights_only=True` or equivalent secure parameters when loading models in MONAI. Avoid loading checkpoints from untrusted or external sources without proper validation. Since no fixed versions are available as of the publication date, these precautions are critical to prevent exploitation. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-58756. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart