PYSEC-2025-140

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/monai/PYSEC-2025-140.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2025-140

Aliases

Published

2025-09-09T00:15:32.257Z

Modified

2026-05-20T09:19:08.643556Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

MONAI (Medical Open Network for AI) is an AI toolkit for health care imaging. The extractall function zip_file.extractall(output_dir) is used directly to process compressed files. It is used in many places in the project. In versions up to and including 1.5.0, when the Zip file containing malicious content is decompressed, it overwrites the system files. In addition, the project allows the download of the zip content through the link, which increases the scope of exploitation of this vulnerability. As of time of publication, no known fixed versions are available.

References

https://github.com/Project-MONAI/MONAI/security/advisories/GHSA-x6ww-pf9m-m73m

Affected packages

PyPI / monai

Package

Name: monai; View open source insights on deps.dev
Purl: pkg:pypi/monai

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.5.1rc1

Affected versions

0.*

0.0.1

0.1.0

0.2.0

0.3.0

0.4.0

0.5.0

0.5.1

0.5.2

0.5.3

0.6.0

0.7.0

0.8.0

0.8.1

0.9.0

0.9.1

1.*

1.0.0

1.0.1

1.1.0

1.2.0

1.3.0

1.3.1

1.3.2rc1

1.3.2

1.3.3rc1

1.4.0rc1

1.4.0rc2

1.4.0rc3

1.4.0rc4

1.4.0rc5

1.4.0rc6

1.4.0rc7

1.4.0rc8

1.4.0rc9

1.4.0rc10

1.4.0rc11

1.4.0rc12

1.4.0

1.4.1rc1

1.5.0rc1

1.5.0

Database specific

source

"https://github.com/pypa/advisory-database/blob/main/vulns/monai/PYSEC-2025-140.yaml"