DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-89GG-P5R5-Q6R4: GHSA-89gg-p5r5-q6r4: Insecure Pickle Deserialization RCE in MONAI Auto3DSeg

#security #cve #cybersecurity #ghsa

GHSA-89gg-p5r5-q6r4: Insecure Pickle Deserialization RCE in MONAI Auto3DSeg

Vulnerability ID: GHSA-89GG-P5R5-Q6R4
CVSS Score: 8.3
Published: 2026-04-07

The Medical Open Network for AI (MONAI) framework contains a critical remote code execution vulnerability in the Auto3DSeg utility. The algo_from_pickle function insecurely deserializes untrusted data using Python's pickle module, allowing an attacker who can supply a crafted .pkl file to execute arbitrary commands within the context of the application process. This vulnerability affects all versions of the MONAI PyPI package prior to 1.5.2.

TL;DR

MONAI versions prior to 1.5.2 are vulnerable to Remote Code Execution via insecure pickle deserialization in the algo_from_pickle function. Supplying a maliciously crafted .pkl file results in arbitrary system command execution.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-502
  • Vulnerability Class: Deserialization of Untrusted Data
  • CVSS v3.1 Base Score: 8.3
  • Attack Vector: Network
  • Impact: Remote Code Execution (RCE)
  • Exploit Status: Proof of Concept Available

Affected Systems

  • MONAI PyPI Package
  • MONAI Auto3DSeg Utility
  • monai: < 1.5.2 (Fixed in: 1.5.2)

Exploit Details

  • Provided PoC: Proof of concept demonstrating the use of reduce to execute subprocess.call.

Mitigation Strategies

  • Upgrade MONAI to patched version 1.5.2.
  • Restrict filesystem write permissions for directories containing .pkl configuration files.
  • Implement cryptographic signatures (e.g., HMAC) for serialized model or configuration files.
  • Audit machine learning pipelines for unsafe deserialization functions.

Remediation Steps:

  1. Identify all deployments and virtual environments utilizing the monai PyPI package.
  2. Update the dependency manager configuration (requirements.txt, pyproject.toml) to require monai>=1.5.2.
  3. Rebuild and deploy the affected application containers or environments.
  4. Verify that the algo_from_pickle function is no longer invoked with unvalidated external input.

References

Read the full report for GHSA-89GG-P5R5-Q6R4 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)