Primary

Context

Step-Video-T2V Remote Code Execution Vulnerability via Insecure Pickle Deserialization

Vulnerability

A remote code execution vulnerability has been identified in the Step-Video-T2V application. This issue arises from the unsafe deserialization of untrusted data using Python's pickle module, specifically in the /vae-api and /caption-api endpoints. The vulnerability allows remote attackers to execute arbitrary code on the server, potentially leading to a full system compromise.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server, with potential for full system compromise.

Reproduction

To reproduce this vulnerability, send a request to the /vae-api or /caption-api endpoint with a payload that includes a serialized object using Python's pickle format. The server will deserialize the object without any validation, allowing for the execution of arbitrary code.

Added: Mar 3, 2026, 3:23 PM

Updated: Mar 3, 2026, 10:44 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

8.2

remediation

0.0

relevance

3.4

threat

6.4

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

8.2

remediation

0.0

relevance

3.4

threat

6.4

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Step-Video-T2V Remote Code Execution Vulnerability via Insecure Pickle Deserialization

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating