MONAI Arbitrary Code Execution Vulnerability via Insecure Checkpoint Loading

A vulnerability allowing arbitrary code execution has been identified in MONAI (Medical Open Network for AI) versions through 1.5.0. The issue arises from insecure loading methods in the 'monai/bundle/scripts.py' file, particularly when loading checkpoints. This vulnerability exploits a deserialization flaw by allowing the execution of malicious payloads embedded in pre-trained models, downloaded from platforms like Hugging Face, to be executed. As of now, no fixed versions are available.

Impact

Exploitation of this vulnerability leads to arbitrary command execution on the system.

Reproduction

The vulnerability can be reproduced by creating a malicious PyTorch checkpoint that includes a payload designed to execute a command, such as creating a file in the '/tmp' directory. This checkpoint can then be loaded using MONAI's CheckpointLoader, which will execute the embedded command. Despite an error indicating a mismatch in the expected checkpoint format, the malicious command execution still occurs.

Remediation

Users are advised to use secure methods for loading checkpoints, such as forcing the 'weights_only' parameter to 'True', or to update to a version of MONAI that addresses this vulnerability, if available.