CVE-2025-58755

HIGH

MONAI < 1.5.0 - Path Traversal via Zip File Extraction

Title source: llm

Description

MONAI (Medical Open Network for AI) is an AI toolkit for health care imaging. The extractall function `zip_file.extractall(output_dir)` is used directly to process compressed files. It is used in many places in the project. In versions up to and including 1.5.0, when the Zip file containing malicious content is decompressed, it overwrites the system files. In addition, the project allows the download of the zip content through the link, which increases the scope of exploitation of this vulnerability. As of time of publication, no known fixed versions are available.

References (1)

Core 1

Core References

Exploit, Vendor Advisory x_refsource_confirm

https://github.com/Project-MONAI/MONAI/security/advisories/GHSA-x6ww-pf9m-m73m

Scores

CVSS v3 8.8

EPSS 0.0019

EPSS Percentile 40.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-22

Status published

Products (2)

monai/medical_open_network_for_ai < 1.5.0

pypi/monai 0 - 1.5.1PyPI

Published Sep 09, 2025

Tracked Since Feb 18, 2026