{"id":74880,"date":"2025-09-14T15:11:07","date_gmt":"2025-09-14T15:11:07","guid":{"rendered":""},"modified":"2025-10-21T10:43:00","modified_gmt":"2025-10-21T16:43:00","slug":"cve-2025-58756-a-critical-deserialization-vulnerability-in-monai-ai-toolkit","status":"publish","type":"post","link":"https:\/\/www.ameeba.com\/blog\/cve-2025-58756-a-critical-deserialization-vulnerability-in-monai-ai-toolkit\/","title":{"rendered":"<strong>CVE-2025-58756: A Critical Deserialization Vulnerability in MONAI AI Toolkit<\/strong>"},"content":{"rendered":"<p><strong>Overview<\/strong><\/p>\n<p>CVE-2025-58756 is a critical vulnerability discovered in the MONAI (Medical Open Network for AI) toolkit, a popular AI solution for healthcare imaging. This vulnerability, stemming from an insecure loading method, can potentially lead to an attacker executing malicious code, compromising the system and potentially leading to data leaks. This <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2024-58259-denial-of-service-vulnerability-in-rancher-manager-due-to-unrestricted-payload-size\/\"  data-wpil-monitor-id=\"85817\">vulnerability is particularly worrisome due<\/a> to MONAI&#8217;s widespread usage in the healthcare sector, making it a prime target for cybercriminals seeking sensitive medical data.<\/p>\n<p><strong>Vulnerability Summary<\/strong><\/p>\n<p>CVE ID: CVE-2025-58756<br \/>\nSeverity: Critical &#8211; CVSS 8.8<br \/>\nAttack Vector: Remote<br \/>\nPrivileges Required: None<br \/>\nUser Interaction: None<br \/>\nImpact: <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2022-45134-critical-vulnerability-in-mahara-leading-to-potential-system-compromise\/\"  data-wpil-monitor-id=\"82881\">Potential system<\/a> compromise and data leakage<\/p>\n<p><strong>Affected Products<\/strong><\/p><div id=\"ameeb-71133478\" class=\"ameeb-content-2 ameeb-entity-placement\"><div style=\"border-left: 4px solid #555; padding-left: 20px; margin: 48px 0; font-family: Roboto, sans-serif; color: #ffffff; line-height: 1.6; max-width: 700px;\">\r\n  <h2 style=\"margin-top: 0; font-size: 20px; font-weight: 600; display: flex; align-items: center;\">\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\" style=\"display: inline-flex; align-items: center; margin-right: 8px;\">\r\n      <img decoding=\"async\" src=\"https:\/\/www.ameeba.com\/blog\/wp-content\/uploads\/2025\/10\/Best-App-icon-Ameeba.png\" alt=\"Ameeba Chat Icon\" style=\"width: 40px; height: 40px;\" \/>\r\n    <\/a>\r\n    A new way to communicate\r\n  <\/h2>\r\n\r\n  <p style=\"margin-bottom: 12px;\">\r\n    Ameeba Chat is built on encrypted identity, not personal profiles.\r\n  <\/p>\r\n\r\n  <p style=\"margin-bottom: 16px;\">\r\n    Message, call, share files, and coordinate with identities kept separate.\r\n  <\/p>\r\n\r\n  <ul style=\"list-style: none; padding-left: 0; margin-bottom: 20px;\">\r\n    <li>\u2022 Encrypted identity<\/li>\r\n    <li>\u2022 Ameeba Chat authenticates access<\/li>\r\n    <li>\u2022 Aliases and categories<\/li>\r\n    <li>\u2022 End-to-end encrypted chat, calls, and files<\/li>\r\n    <li>\u2022 Secure notes for sensitive information<\/li>\r\n  <\/ul>\r\n\r\n  <p style=\"font-style: italic; font-weight: 600; margin-bottom: 24px;\">\r\n    Private communication, rethought.\r\n  <\/p>\r\n\r\n  <div style=\"display: flex; flex-wrap: wrap; gap: 12px;\">\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\/download\" style=\"background-color: #ffffff; color: #000000; padding: 10px 20px; text-decoration: none; border-radius: 6px; font-weight: 500;\">Download Ameeba Chat<\/a>\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\" style=\"border: 1px solid #ffffff; color: #ffffff; padding: 10px 20px; text-decoration: none; border-radius: 6px; font-weight: 500;\">Learn More<\/a>\r\n  <\/div>\r\n<\/div>\r\n<\/div>\n<p>Product | Affected Versions<\/p>\n<p>MONAI | Up to and including 1.5.0<\/p>\n<p><strong>How the Exploit Works<\/strong><\/p>\n<p>The <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-58757-remote-code-execution-vulnerability-in-monai-ai-toolkit\/\"  data-wpil-monitor-id=\"88595\">vulnerability lies in the way MONAI<\/a> loads checkpoints. While the `model_dict = torch.load(full_path, map_location=torch.device(device), weights_only=True)` in monai\/bundle\/scripts.py is loaded securely, there are other instances in the project where checkpoints are loaded insecurely. This insecure method could be <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-6454-authenticated-user-exploit-in-gitlab-ce-ee-through-proxy-environments\/\"  data-wpil-monitor-id=\"90756\">exploited when users<\/a> attempt to reduce training time and costs by loading pre-trained models downloaded from other platforms. If a malicious actor can manipulate these pre-trained models or checkpoints, they can introduce malicious content that, when loaded, triggers a deserialization vulnerability, leading to <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2024-54678-local-arbitrary-code-execution-vulnerability-in-simatic-and-sirius-products\/\"  data-wpil-monitor-id=\"82370\">arbitrary code execution<\/a>.<\/p>\n<p><strong>Conceptual Example Code<\/strong><\/p><div id=\"ameeb-2924967235\" class=\"ameeb-content ameeb-entity-placement\"><div class=\"poptin-embedded\" data-id=\"f6b387694f681\"><\/div>\r\n\r\n\r\n\r\n\r\n\r\n<\/div>\n<p>A conceptual example of how this vulnerability might be exploited is an attacker crafting a malicious pre-trained model or checkpoint. When this model is loaded by the victim, the malicious <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-9060-msoft-mflash-arbitrary-code-execution-vulnerability\/\"  data-wpil-monitor-id=\"82454\">code gets executed<\/a>. Below is a simplified example:<\/p>\n<pre><code class=\"\" data-line=\"\"># Attacker crafts a model with malicious code\nclass MaliciousModel:\ndef __reduce__(self):\nreturn (os.system, (&#039;cat \/etc\/passwd &gt; \/tmp\/passwd_copy&#039;,))\ncheckpoint = {\n&#039;model&#039;: MaliciousModel(),\n# other legit data\n}\n# Victim loads the model\ntorch.load(&#039;malicious_checkpoint.pth&#039;)<\/code><\/pre>\n<p>In this example, the malicious model, when deserialized, executes the `os.system` function with the argument `&#8217;cat \/etc\/passwd > \/tmp\/passwd_copy&#8217;`, copying the <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-4414-critical-php-remote-file-inclusion-vulnerability-in-cmsmasters-content-composer\/\"  data-wpil-monitor-id=\"91057\">content of `\/etc\/passwd` to a temporary file<\/a>.<br \/>\nPlease note that this is a simplified example and the actual exploitation may involve more complex steps and obfuscation techniques.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Overview CVE-2025-58756 is a critical vulnerability discovered in the MONAI (Medical Open Network for AI) toolkit, a popular AI solution for healthcare imaging. This vulnerability, stemming from an insecure loading method, can potentially lead to an attacker executing malicious code, compromising the system and potentially leading to data leaks. This vulnerability is particularly worrisome due [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"footnotes":""},"categories":[1],"tags":[],"vendor":[],"product":[],"attack_vector":[80],"asset_type":[],"severity":[],"exploit_status":[],"class_list":["post-74880","post","type-post","status-publish","format-standard","hentry","category-uncategorized","attack_vector-rce"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts\/74880","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/comments?post=74880"}],"version-history":[{"count":7,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts\/74880\/revisions"}],"predecessor-version":[{"id":84074,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts\/74880\/revisions\/84074"}],"wp:attachment":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/media?parent=74880"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/categories?post=74880"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/tags?post=74880"},{"taxonomy":"vendor","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/vendor?post=74880"},{"taxonomy":"product","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/product?post=74880"},{"taxonomy":"attack_vector","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/attack_vector?post=74880"},{"taxonomy":"asset_type","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/asset_type?post=74880"},{"taxonomy":"severity","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/severity?post=74880"},{"taxonomy":"exploit_status","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/exploit_status?post=74880"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}