CVE-2025-58757: Monai: Unsafe use of Pickle deserialization may lead to RCE

September 9, 2025 (updated September 26, 2025)

The pickle_operations function in monai/data/utils.py automatically handles dictionary key-value pairs ending with a specific suffix and deserializes them using pickle.loads() . This function also lacks any security measures.

When verified using the following proof-of-concept, arbitrary code execution can occur.

References

github.com/Project-MONAI/MONAI
github.com/Project-MONAI/MONAI/commit/948fbb703adcb87cd04ebd83d20dcd8d73bf6259
github.com/Project-MONAI/MONAI/pull/8566
github.com/Project-MONAI/MONAI/security/advisories/GHSA-p8cm-mm2v-gwjm
github.com/advisories/GHSA-p8cm-mm2v-gwjm
nvd.nist.gov/vuln/detail/CVE-2025-58757

Code Behaviors & Features

Detect and mitigate CVE-2025-58757 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →