CVE-2025-58756
Published: 09 September 2025
Summary
CVE-2025-58756 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Monai Medical Open Network For Ai. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 17.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Computer Vision; in the Supply Chain and Deployment risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-7 (Software, Firmware, and Information Integrity) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires integrity verification of checkpoint files prior to torch.load deserialization, directly preventing execution of malicious content in tampered PyTorch checkpoints.
Validates the format and content of externally downloaded checkpoint files before insecure deserialization, rejecting malformed inputs that could trigger code execution.
Scans checkpoint files from external platforms for malicious code prior to loading, eradicating threats that exploit insecure deserialization in MONAI.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unsafe deserialization vulnerability (torch.load without weights_only) enables arbitrary code execution via malicious checkpoints/pre-trained models, facilitating client-side exploitation (T1203), supply chain compromise through tainted models (T1195.002), and poisoned pipeline execution (T1677).
NVD Description
MONAI (Medical Open Network for AI) is an AI toolkit for health care imaging. In versions up to and including 1.5.0, in `model_dict = torch.load(full_path, map_location=torch.device(device), weights_only=True)` in monai/bundle/scripts.py , `weights_only=True` is loaded securely. However, insecure loading methods still exist…
more
elsewhere in the project, such as when loading checkpoints. This is a common practice when users want to reduce training time and costs by loading pre-trained models downloaded from other platforms. Loading a checkpoint containing malicious content can trigger a deserialization vulnerability, leading to code execution. As of time of publication, no known fixed versions are available.
Deeper analysisAI
CVE-2025-58756 is a deserialization vulnerability (CWE-502) affecting MONAI, an open-source AI toolkit for healthcare imaging, in versions up to and including 1.5.0. While secure loading with `weights_only=True` is used in monai/bundle/scripts.py for torch.load operations, insecure deserialization methods persist elsewhere in the project, particularly when loading checkpoints. This allows maliciously crafted checkpoint files—commonly downloaded from external platforms to accelerate training and reduce costs—to trigger arbitrary code execution upon loading.
The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating network-accessible exploitation with low complexity and low privilege requirements, but no user interaction needed. Attackers can exploit it by supplying a victim with a tampered checkpoint file, which, when loaded in a MONAI environment, executes arbitrary code. This grants high-impact confidentiality, integrity, and availability compromises, such as data theft, model tampering, or system takeover on the hosting machine.
The Project-MONAI GitHub security advisory (GHSA-6vm5-6jv9-rjpj) details the issue, but as of publication, no fixed versions of MONAI are available, leaving users to mitigate by avoiding untrusted checkpoints, validating inputs prior to loading, or using sandboxed environments for model inference and training.
This vulnerability highlights risks in AI/ML workflows reliant on third-party pre-trained models, especially in sensitive healthcare imaging applications where deserialization of PyTorch checkpoints is routine. No real-world exploitation has been reported.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Computer Vision
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- MONAI is an AI toolkit specialized for healthcare imaging, involving computer vision tasks such as segmentation, classification, and analysis of medical images using deep learning.