CVE-2025-58755HIGH 8.8EPSS p42.5%

CVE-2025-58755CVE-2025-58755

Description

MONAI (Medical Open Network for AI) is an AI toolkit for health care imaging. The extractall function `zip_file.extractall(output_dir)` is used directly to process compressed files. It is used in many places in the project. In versions up to and including 1.5.0, when the Zip file containing malicious content is decompressed, it overwrites the system files. In addition, the project allows the download of the zip content through the link, which increases the scope of exploitation of this vulnerability. As of time of publication, no known fixed versions are available.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.57% probability of exploitation · percentile 42.5% · 2026-06-19T12:03:05Z
Published2025-09-09
Last modified2025-09-19

Underlying weaknesses· 1

CWE-22

References

  1. https://github.com/Project-MONAI/MONAI/security/advisories/GHSA-x6ww-pf9m-m73m

1

TypeTargetConfidenceTier
WeaknessImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')cwe-220%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-58757
CVE
CVE-2025-58756
CVE
CVE-2025-66945
CVE
CVE-2025-3485
CVE
CVE-2025-13816
CVE
CVE-2025-51480
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.