CVE-2025-5173 — HIGH (CVSS 7.8) AI Security Vulnerability

Q: Is CVE-2025-5173 actively exploited?

No confirmed active exploitation of CVE-2025-5173 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2025-5173?

1. IMMEDIATE: Audit all .pt model files loaded by label-studio-ml-backend — verify SHA checksums against known-good sources. 2. Restrict the `path` argument to an allowlist of trusted directories; block user-controllable file paths reaching the `load()` function. 3. Switch to `torch.load(..., weights_only=True)` (PyTorch ≥1.13) to disable arbitrary code execution during deserialization — this is the correct long-term fix the vendor should implement. 4. Run the ML backend in an isolated container with no access to sensitive credentials or internal networks (defense in depth). 5. Monitor for unexpected process spawning from the label-studio-ml-backend process. 6. If using pip: pin label-studio-ml to a reviewed commit hash until a fix is released; watch GitHub issue #765 for patch status. 7. Do not load model files from untrusted public repositories (HuggingFace, public S3 buckets) without verification.

Q: What systems are affected by CVE-2025-5173?

This vulnerability affects the following AI/ML architecture patterns: ML data labeling pipelines, Model serving, Training pipelines, MLOps/CI-CD pipelines.

Q: What is the CVSS score for CVE-2025-5173?

CVE-2025-5173 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.10%.

CISO Take

A malicious PyTorch model file (.pt) loaded by the YOLO integration in label-studio-ml-backend triggers arbitrary code execution via Python pickle deserialization — the classic unsafe `torch.load()` pattern. If your ML teams use Label Studio for data labeling with YOLO models sourced from any external or shared location, treat this as a supply chain risk and restrict model file provenance immediately. No patch is available; apply compensating controls now.

Risk Assessment

CVSS 7.8 with local attack vector reduces immediate internet-exposed risk, but in shared ML environments (multi-user Label Studio deployments, CI/CD pipelines, or Jupyter-adjacent workflows) the 'local' requirement is trivially met by any authenticated user or compromised upstream model source. The absence of a patch and the rolling-release model with no versioned fix compounds the exposure. EPSS 0.001 reflects current in-the-wild activity, not potential — PyTorch pickle exploits are well-documented and tooling exists. Elevated risk for organizations running data labeling pipelines with externally-sourced models.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
label-studio-ml	pip	<= 1.0.9	No patch
27.3K 1 dependents Pushed yesterday 71% patched ~145d to patch Full package profile →
label_studio_ml_backend	—	—	No patch

Severity & Risk

CVSS 3.1

7.8 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 28% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

Recommended Action

7 steps

IMMEDIATE

Audit all .pt model files loaded by label-studio-ml-backend — verify SHA checksums against known-good sources.
Restrict the path argument to an allowlist of trusted directories; block user-controllable file paths reaching the load() function.
Switch to torch.load(..., weights_only=True) (PyTorch ≥1.13) to disable arbitrary code execution during deserialization — this is the correct long-term fix the vendor should implement.
Run the ML backend in an isolated container with no access to sensitive credentials or internal networks (defense in depth).
Monitor for unexpected process spawning from the label-studio-ml-backend process.
If using pip: pin label-studio-ml to a reviewed commit hash until a fix is released; watch GitHub issue #765 for patch status.
Do not load model files from untrusted public repositories (HuggingFace, public S3 buckets) without verification.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Supply Chain Code Execution Framework Model AML.T0010.003 - Model AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0058 - Publish Poisoned Models

Compliance Impact

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.1.6 - AI supply chain management

NIST AI RMF

MANAGE-2.2 - Risk treatments for AI risks

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2025-5173?

A malicious PyTorch model file (.pt) loaded by the YOLO integration in label-studio-ml-backend triggers arbitrary code execution via Python pickle deserialization — the classic unsafe `torch.load()` pattern. If your ML teams use Label Studio for data labeling with YOLO models sourced from any external or shared location, treat this as a supply chain risk and restrict model file provenance immediately. No patch is available; apply compensating controls now.

Is CVE-2025-5173 actively exploited?

No confirmed active exploitation of CVE-2025-5173 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-5173?

1. IMMEDIATE: Audit all .pt model files loaded by label-studio-ml-backend — verify SHA checksums against known-good sources. 2. Restrict the `path` argument to an allowlist of trusted directories; block user-controllable file paths reaching the `load()` function. 3. Switch to `torch.load(..., weights_only=True)` (PyTorch ≥1.13) to disable arbitrary code execution during deserialization — this is the correct long-term fix the vendor should implement. 4. Run the ML backend in an isolated container with no access to sensitive credentials or internal networks (defense in depth). 5. Monitor for unexpected process spawning from the label-studio-ml-backend process. 6. If using pip: pin label-studio-ml to a reviewed commit hash until a fix is released; watch GitHub issue #765 for patch status. 7. Do not load model files from untrusted public repositories (HuggingFace, public S3 buckets) without verification.

What systems are affected by CVE-2025-5173?

This vulnerability affects the following AI/ML architecture patterns: ML data labeling pipelines, Model serving, Training pipelines, MLOps/CI-CD pipelines.

What is the CVSS score for CVE-2025-5173?

CVE-2025-5173 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.10%.

Technical Details

NVD Description

A vulnerability has been found in HumanSignal label-studio-ml-backend up to 9fb7f4aa186612806af2becfb621f6ed8d9fdbaf and classified as problematic. Affected by this vulnerability is the function load of the file label-studio-ml-backend/label_studio_ml/examples/yolo/utils/neural_nets.py of the component PT File Handler. The manipulation of the argument path leads to deserialization. An attack has to be approached locally. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available.

Exploitation Scenario

An attacker with access to the model file path (e.g., a malicious insider, a compromised model registry, or an adversary who has already gained write access to a shared filesystem) crafts a malicious PyTorch .pt file using Python's pickle module to embed a reverse shell payload. When a labeling engineer loads or restarts the YOLO ML backend with this model file, `torch.load()` deserializes the pickle object and executes the attacker's code with the backend process privileges. In a CI/CD context where models are pulled from a shared artifact store before training runs, this becomes a supply-chain vector that triggers automatically without user interaction beyond routine pipeline execution.