Cyber Resilience

CVE-2025-58757

HighPublic PoCRCE

Published: 09 September 2025

Published
09 September 2025
Modified
19 September 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0139 80.8th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-58757 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Monai Medical Open Network For Ai. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Python (T1059.006); ranked in the top 19.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Computer Vision; in the Data-Related Vulnerabilities risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

MONAI, an AI toolkit for healthcare imaging, contains a deserialization vulnerability in versions up to and including 1.5.0. The pickle_operations function in monai/data/utils.py automatically processes dictionary key-value pairs whose keys end with a designated suffix and passes the associated values directly to pickle.loads without any validation or security controls, enabling arbitrary code execution via CWE-502.

An unauthenticated remote attacker can exploit the flaw by supplying a crafted dictionary containing a malicious serialized object. When the victim application invokes pickle_operations on that input, the embedded payload executes with the privileges of the MONAI process, potentially resulting in full confidentiality, integrity, and availability impact as reflected in the CVSS 8.8 score that requires only user interaction to trigger.

The public GitHub Security Advisory GHSA-p8cm-mm2v-gwjm confirms that no patched releases were available at the time of disclosure. Organizations must therefore avoid processing untrusted data with the affected function or implement their own safe deserialization wrapper until a fix is released.

EPSS remains low and unchanged at 0.0139, indicating limited observed exploitation interest to date.

EU & UK References

Vulnerability details

MONAI (Medical Open Network for AI) is an AI toolkit for health care imaging. In versions up to and including 1.5.0, the `pickle_operations` function in `monai/data/utils.py` automatically handles dictionary key-value pairs ending with a specific suffix and deserializes them using…

more

`pickle.loads()` . This function also lacks any security measures. The deserialization may lead to code execution. As of time of publication, no known fixed versions are available.

CWE(s)

AI Security AnalysisAI

AI Category
Computer Vision
Risk Domain
Data-Related Vulnerabilities
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

The unsafe pickle deserialization in MONAI's data processing enables arbitrary code execution when processing attacker-controlled data, facilitating Python code execution (T1059.006) and exploitation of client software vulnerabilities (T1203).

CVEs Like This One

CVE-2025-58756Same product: Monai Medical Open Network For Ai
CVE-2025-58755Same product: Monai Medical Open Network For Ai
CVE-2026-3071Shared CWE-502
CVE-2026-45360Shared CWE-502
CVE-2026-38950Shared CWE-502
CVE-2026-31222Shared CWE-502
CVE-2025-54886Shared CWE-502
CVE-2026-31223Shared CWE-502
CVE-2026-21226Shared CWE-502
CVE-2026-31224Shared CWE-502

Affected Assets

monai
medical open network for ai
≤ 1.5.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of untrusted dictionary inputs to the pickle_operations function, directly preventing deserialization of malicious payloads leading to code execution.

prevent

Mandates timely flaw remediation, including patching the unsafe pickle deserialization vulnerability in MONAI versions up to 1.5.0 when fixes become available.

detect

Vulnerability scanning and monitoring identifies the deserialization flaw in MONAI deployments, enabling proactive mitigation.

References