CVE-2025-58757
Published: 09 September 2025
Summary
CVE-2025-58757 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Monai Medical Open Network For Ai. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Python (T1059.006); ranked in the top 19.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Computer Vision; in the Data-Related Vulnerabilities risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
MONAI, an AI toolkit for healthcare imaging, contains a deserialization vulnerability in versions up to and including 1.5.0. The pickle_operations function in monai/data/utils.py automatically processes dictionary key-value pairs whose keys end with a designated suffix and passes the associated values directly to pickle.loads without any validation or security controls, enabling arbitrary code execution via CWE-502.
An unauthenticated remote attacker can exploit the flaw by supplying a crafted dictionary containing a malicious serialized object. When the victim application invokes pickle_operations on that input, the embedded payload executes with the privileges of the MONAI process, potentially resulting in full confidentiality, integrity, and availability impact as reflected in the CVSS 8.8 score that requires only user interaction to trigger.
The public GitHub Security Advisory GHSA-p8cm-mm2v-gwjm confirms that no patched releases were available at the time of disclosure. Organizations must therefore avoid processing untrusted data with the affected function or implement their own safe deserialization wrapper until a fix is released.
EPSS remains low and unchanged at 0.0139, indicating limited observed exploitation interest to date.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-27189
Vulnerability details
MONAI (Medical Open Network for AI) is an AI toolkit for health care imaging. In versions up to and including 1.5.0, the `pickle_operations` function in `monai/data/utils.py` automatically handles dictionary key-value pairs ending with a specific suffix and deserializes them using…
more
`pickle.loads()` . This function also lacks any security measures. The deserialization may lead to code execution. As of time of publication, no known fixed versions are available.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Computer Vision
- Risk Domain
- Data-Related Vulnerabilities
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The unsafe pickle deserialization in MONAI's data processing enables arbitrary code execution when processing attacker-controlled data, facilitating Python code execution (T1059.006) and exploitation of client software vulnerabilities (T1203).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation of untrusted dictionary inputs to the pickle_operations function, directly preventing deserialization of malicious payloads leading to code execution.
Mandates timely flaw remediation, including patching the unsafe pickle deserialization vulnerability in MONAI versions up to 1.5.0 when fixes become available.
Vulnerability scanning and monitoring identifies the deserialization flaw in MONAI deployments, enabling proactive mitigation.