CVE-2025-57622
Received Received - Intake
Remote Code Execution via Deserialization in Step-Video-T2V APIs

Publication date: 2026-03-03

Last updated on: 2026-03-12

Assigner: MITRE

Description
An issue in Step-Video-T2V allows a remote attacker to execute arbitrary code via the /vae-api , /caption-api , feature = pickle.loads(request.get_data()) component
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-03
Last Modified
2026-03-12
Generated
2026-06-16
AI Q&A
2026-03-03
EPSS Evaluated
2026-06-15
NVD
CVE-2025-57622
EUVD
EUVD-2025-208231
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
stepfun-ai step-video-t2v *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2025-57622 is a critical Remote Code Execution (RCE) vulnerability in the Step-Video-T2V software. It arises from unsafe deserialization of untrusted data using Python's pickle module in the /vae-api and /caption-api endpoints. This flaw allows a remote attacker to send specially crafted data that, when deserialized by the server, can execute arbitrary system commands without authentication."}] [1]

Impact Analysis

This vulnerability can have a severe impact as it allows unauthenticated remote attackers to execute arbitrary code on the server hosting Step-Video-T2V. This can lead to full system compromise, including unauthorized access, data theft, service disruption, or further attacks launched from the compromised system.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring network traffic for requests to the `/vae-api` and `/caption-api` endpoints that contain suspicious or unexpected pickled data payloads, as these endpoints are vulnerable to unsafe deserialization.'}, {'type': 'paragraph', 'content': 'You can use network inspection tools like tcpdump or Wireshark to capture HTTP GET requests targeting these endpoints and analyze the payloads for unusual or malicious serialized data.'}, {'type': 'paragraph', 'content': 'Example commands to detect such activity include:'}, {'type': 'list_item', 'content': "Using tcpdump to capture HTTP GET requests to `/vae-api` or `/caption-api` endpoints on port 80 or 443: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -E 'GET /vae-api|GET /caption-api'"}, {'type': 'list_item', 'content': 'Using curl or similar tools to test the endpoints with crafted payloads to see if the server responds or crashes, indicating vulnerability.'}, {'type': 'paragraph', 'content': 'Additionally, reviewing server logs for unusual errors or crashes related to these endpoints can help detect exploitation attempts.'}] [1, 2]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include disabling or restricting access to the `/vae-api` and `/caption-api` endpoints to prevent unauthenticated remote access.'}, {'type': 'paragraph', 'content': "Avoid using Python's pickle module to deserialize untrusted input, as it allows arbitrary code execution."}, {'type': 'paragraph', 'content': 'If possible, apply patches or updates provided by the Step-Video-T2V project that fix the unsafe deserialization vulnerability.'}, {'type': 'paragraph', 'content': 'Implement network-level protections such as firewall rules or API gateway filters to block or authenticate requests to these endpoints.'}, {'type': 'paragraph', 'content': 'Monitor your systems for signs of compromise and consider isolating affected servers until the vulnerability is remediated.'}] [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-57622. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart