PT-2026-51062 · Stanza+1 · Stanza+1
Published
2026-06-19
·
Updated
2026-06-19
·
CVE-2026-54499
CVSS v3.1
7.5
High
| Vector | AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Stanza version 1.12.0
Description
An issue exists where the software attempts to load PyTorch checkpoint files using a safe method but automatically falls back to an unsafe deserialization process when a
pickle.UnpicklingError occurs. Because this error can be triggered by an attacker by including an unsupported pickle global in a .pt file, the system invokes the full pickle deserializer, allowing for arbitrary code execution. This occurs within the Stanza pretrain-loading API when loading malicious pretrain or model files placed on disk via supply-chain compromise, poisoned repositories, or shared caches.Technical details include the following vulnerable components:
- API Endpoints:
stanza.models.common.foundation cache.load pretrain(path) - Vulnerable Functions:
Pretrain.load(), and loaders withinstanza/models/common/pretrain.py,stanza/models/coref/model.py,stanza/models/classifiers/trainer.py,stanza/models/constituency/base trainer.py, andstanza/models/lemma classifier/base model.py.
Recommendations
For version 1.12.0, remove the unsafe fallback mechanism in the affected loaders so that the system fails closed when
weights only=True raises an UnpicklingError. If legacy files containing NumPy must be supported, use the add safe globals() API to allowlist specific required dtypes instead of disabling safety checks. As a temporary mitigation, restrict access to the model cache and avoid loading pretrain files from untrusted sources.Fix
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Pytorch
Stanza