Cyber Resilience

CVE-2025-50472

CriticalRCE

Published: 01 August 2025

Published
01 August 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0186 83.4th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-50472 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Supply Chain (T1195.002); ranked in the top 16.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-7 (Software, Firmware, and Information Integrity).

Deeper analysis

The modelscope/ms-swift library through version 2.6.1 contains a deserialization vulnerability in the ModelFileSystemCache class, specifically within the load_model_meta() function of swift/hub/utils/caching.py. The function invokes pickle.load() directly on .mdl files that may originate from untrusted sources, enabling arbitrary code execution as classified under CWE-502. The affected component is used during normal model checkpoint handling in the training workflow.

An attacker can supply a malicious serialized .mdl payload that executes arbitrary commands upon loading. Exploitation requires the victim to be tricked into treating the file as a legitimate checkpoint; once loaded, the payload runs while the subsequent training process continues without interruption, and the file remains hidden from casual inspection. The vulnerability carries a CVSS score of 9.8 and can be triggered remotely without authentication or user interaction beyond the training step.

The two provided references point to the vulnerable source location and a public repository documenting the issue, but contain no mitigation guidance or patch details. The associated EPSS score remains flat at 0.0186 with no observed increase after disclosure. The flaw is particularly relevant to machine-learning environments that rely on ms-swift for model management and distributed training.

EU & UK References

Vulnerability details

The modelscope/ms-swift library thru 2.6.1 is vulnerable to arbitrary code execution through deserialization of untrusted data within the `load_model_meta()` function of the `ModelFileSystemCache()` class. Attackers can execute arbitrary code and commands by crafting a malicious serialized `.mdl` payload, exploiting the…

more

use of `pickle.load()` on data from potentially untrusted sources. This vulnerability allows for remote code execution (RCE) by deceiving victims into loading a seemingly harmless checkpoint during a normal training process, thereby enabling attackers to execute arbitrary code on the targeted machine. Note that the payload file is a hidden file, making it difficult for the victim to detect tampering. More importantly, during the model training process, after the `.mdl` file is loaded and executes arbitrary code, the normal training process remains unaffected'meaning the user remains unaware of the arbitrary code execution.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1195.002 Compromise Software Supply Chain Initial Access
Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise.
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

Vulnerability enables supply-chain compromise via malicious .mdl model artifacts (pickle deserialization RCE) and direct execution through loading of the tampered file during normal ML workflows.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-26208Shared CWE-502
CVE-2025-21364Shared CWE-502
CVE-2025-60037Shared CWE-502
CVE-2026-27776Shared CWE-502
CVE-2024-12703Shared CWE-502
CVE-2026-24151Shared CWE-502
CVE-2025-33253Shared CWE-502
CVE-2026-24165Shared CWE-502
CVE-2026-31218Shared CWE-502
CVE-2026-31219Shared CWE-502

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the deserialization vulnerability by requiring timely remediation through patching the ms-swift library beyond version 2.6.1.

prevent

Enforces integrity verification of software and information such as the .mdl model checkpoint files to prevent execution of tampered payloads via unsafe deserialization.

prevent

Requires verification of component authenticity for model artifacts from external sources prior to loading, countering supply-chain attacks via malicious .mdl payloads.

References