CVE-2025-50472
Published: 01 August 2025
Summary
CVE-2025-50472 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Supply Chain (T1195.002); ranked in the top 16.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-7 (Software, Firmware, and Information Integrity).
Deeper analysis
The modelscope/ms-swift library through version 2.6.1 contains a deserialization vulnerability in the ModelFileSystemCache class, specifically within the load_model_meta() function of swift/hub/utils/caching.py. The function invokes pickle.load() directly on .mdl files that may originate from untrusted sources, enabling arbitrary code execution as classified under CWE-502. The affected component is used during normal model checkpoint handling in the training workflow.
An attacker can supply a malicious serialized .mdl payload that executes arbitrary commands upon loading. Exploitation requires the victim to be tricked into treating the file as a legitimate checkpoint; once loaded, the payload runs while the subsequent training process continues without interruption, and the file remains hidden from casual inspection. The vulnerability carries a CVSS score of 9.8 and can be triggered remotely without authentication or user interaction beyond the training step.
The two provided references point to the vulnerable source location and a public repository documenting the issue, but contain no mitigation guidance or patch details. The associated EPSS score remains flat at 0.0186 with no observed increase after disclosure. The flaw is particularly relevant to machine-learning environments that rely on ms-swift for model management and distributed training.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-23367
Vulnerability details
The modelscope/ms-swift library thru 2.6.1 is vulnerable to arbitrary code execution through deserialization of untrusted data within the `load_model_meta()` function of the `ModelFileSystemCache()` class. Attackers can execute arbitrary code and commands by crafting a malicious serialized `.mdl` payload, exploiting the…
more
use of `pickle.load()` on data from potentially untrusted sources. This vulnerability allows for remote code execution (RCE) by deceiving victims into loading a seemingly harmless checkpoint during a normal training process, thereby enabling attackers to execute arbitrary code on the targeted machine. Note that the payload file is a hidden file, making it difficult for the victim to detect tampering. More importantly, during the model training process, after the `.mdl` file is loaded and executes arbitrary code, the normal training process remains unaffected'meaning the user remains unaware of the arbitrary code execution.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables supply-chain compromise via malicious .mdl model artifacts (pickle deserialization RCE) and direct execution through loading of the tampered file during normal ML workflows.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the deserialization vulnerability by requiring timely remediation through patching the ms-swift library beyond version 2.6.1.
Enforces integrity verification of software and information such as the .mdl model checkpoint files to prevent execution of tampered payloads via unsafe deserialization.
Requires verification of component authenticity for model artifacts from external sources prior to loading, countering supply-chain attacks via malicious .mdl payloads.