CVE-2025-58756
Published: 09 September 2025
Summary
CVE-2025-58756 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Monai Medical Open Network For Ai. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 13.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Computer Vision; in the Supply Chain and Deployment risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-7 (Software, Firmware, and Information Integrity) and SI-10 (Information Input Validation).
Deeper analysis
MONAI, an AI toolkit for healthcare imaging, is affected by a deserialization vulnerability in all versions through 1.5.0. Although one code path in monai/bundle/scripts.py uses torch.load with weights_only=True, other locations that load checkpoints continue to accept untrusted serialized data, exposing users who resume training or import pre-trained models downloaded from external platforms.
An authenticated attacker can host or substitute a malicious checkpoint file; when a victim loads it, the deserialization triggers remote code execution, granting full control over the process and potentially the host system.
The referenced GitHub Security Advisory states that no fixed versions are available at the time of publication.
The issue is relevant to AI/ML pipelines that routinely load external checkpoints to reduce training cost, carries a CVSS score of 8.8, and shows a flat EPSS of 0.0276 with no material rise since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-27190
Vulnerability details
MONAI (Medical Open Network for AI) is an AI toolkit for health care imaging. In versions up to and including 1.5.0, in `model_dict = torch.load(full_path, map_location=torch.device(device), weights_only=True)` in monai/bundle/scripts.py , `weights_only=True` is loaded securely. However, insecure loading methods still exist…
more
elsewhere in the project, such as when loading checkpoints. This is a common practice when users want to reduce training time and costs by loading pre-trained models downloaded from other platforms. Loading a checkpoint containing malicious content can trigger a deserialization vulnerability, leading to code execution. As of time of publication, no known fixed versions are available.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Computer Vision
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unsafe deserialization vulnerability (torch.load without weights_only) enables arbitrary code execution via malicious checkpoints/pre-trained models, facilitating client-side exploitation (T1203), supply chain compromise through tainted models (T1195.002), and poisoned pipeline execution (T1677).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires integrity verification of checkpoint files prior to torch.load deserialization, directly preventing execution of malicious content in tampered PyTorch checkpoints.
Validates the format and content of externally downloaded checkpoint files before insecure deserialization, rejecting malformed inputs that could trigger code execution.
Scans checkpoint files from external platforms for malicious code prior to loading, eradicating threats that exploit insecure deserialization in MONAI.