CVE-2026-54499
Python Analyse et atténuation des vulnérabilités

Aperçu

CVE-2026-54499 is a remote code execution vulnerability in Stanford NLP's Stanza library caused by unsafe pickle deserialization in model loaders. Stanza versions ≤ 1.12.1 attempt to safely load PyTorch checkpoint files using torch.load(..., weights_only=True), but automatically fall back to the fully unsafe torch.load(..., weights_only=False) when a pickle.UnpicklingError is raised — a condition that is fully attacker-controllable. The vulnerability was published on June 18, 2026, by researcher RamiAltai and added to the GitHub Advisory Database on June 19, 2026. It carries a CVSS v3.1 base score of 7.5 (High) (GitHub Advisory, Stanza Advisory).

Détails techniques

The root cause is classified as CWE-502 (Deserialization of Untrusted Data) and CWE-676 (Use of Potentially Dangerous Function). The vulnerable pattern exists in at least six locations across Stanza 1.12.0: stanza/models/common/pretrain.py (lines 64–66), stanza/models/coref/model.py (lines 251–253, 329–331), stanza/models/classifiers/trainer.py (lines 80–82), stanza/models/constituency/base_trainer.py (lines 94–96), and stanza/models/lemma_classifier/base_model.py (line 127, which omits weights_only entirely, defaulting to False on PyTorch < 2.6). An attacker crafts a structurally valid Stanza pretrain state dict (.pt file) containing a single unsupported pickle global (e.g., builtins.open); the safe load raises UnpicklingError, and the fallback invokes Python's full pickle deserializer, executing any __reduce__ method without restriction. A working proof-of-concept exploit script is publicly available in the advisory (Stanza Advisory).

Impact

Successful exploitation grants arbitrary code execution with the full privileges of the process running stanza.Pipeline(), which is commonly a developer workstation, Jupyter notebook server, or GPU training node. An attacker can steal credentials (HuggingFace tokens, cloud IAM keys stored in environment variables), install persistent backdoors, exfiltrate sensitive data, and perform lateral movement within multi-tenant training infrastructure. All three pillars of security are fully compromised: confidentiality, integrity, and availability are each rated High (GitHub Advisory).

Étapes d’exploitation

  1. Reconnaissance: Identify targets that use Stanza ≤ 1.12.1 for NLP pipelines — developers, CI/CD systems, or research environments that automatically download or refresh Stanza model files from external sources (HuggingFace, GitHub, shared NFS/S3 caches).
  2. Craft malicious .pt file: Build a structurally valid Stanza pretrain state dict containing an embedded malicious object with a __reduce__ method (e.g., builtins.open or a reverse shell payload). Embed one unsupported pickle global to guarantee UnpicklingError on safe load. Use torch.save(state, '/path/to/malicious.pt') to serialize the file.
  3. Deliver the malicious file: Place the crafted .pt file at a path Stanza will load — by compromising a HuggingFace model repository hosting Stanza pretrain weights, poisoning a shared model cache directory, or distributing the file via a third-party fine-tuning hub.
  4. Trigger the vulnerable fallback: When the victim loads a Stanza pipeline (e.g., stanza.Pipeline(lang='en')), the load_pretrain() API calls torch.load(..., weights_only=True), which raises UnpicklingError due to the embedded unsupported global. Stanza's except UnpicklingError block then calls torch.load(..., weights_only=False), invoking the full pickle deserializer.
  5. Achieve code execution: The __reduce__ method in the malicious object executes arbitrary code with the privileges of the Stanza process, enabling credential theft, reverse shell establishment, data exfiltration, or persistence (Stanza Advisory).

Indicateurs de compromis

  • File System: Unexpected sentinel or output files created in /tmp/ or other writable directories during model loading; new or modified files in the Stanza model cache directory (typically ~/stanza_resources/) that do not match expected checksums; presence of web shells, cron jobs, or backdoor scripts created by the Python process.
  • Process: Unusual child processes spawned by the Python/Stanza process (e.g., bash, curl, wget, nc, python -c) during or immediately after model loading; unexpected network connections originating from the Stanza/Python process.
  • Network: Outbound connections to unknown external IPs from the machine running Stanza, particularly during or after model file loading; unexpected DNS lookups from the Python process.
  • Logs: Python runtime errors or tracebacks referencing pickle.UnpicklingError followed immediately by successful model load completion (indicating the unsafe fallback fired); unexpected access to environment variables (e.g., HUGGING_FACE_HUB_TOKEN, AWS credentials) by the Stanza process.

Atténuation et solutions de contournement

Upgrade Stanza to version 1.12.2 or later, which is the patched release that addresses this vulnerability (GitHub Advisory). If upgrading immediately is not possible, avoid loading .pt model files from untrusted or unverified sources, and enforce cryptographic verification (e.g., checksums or signatures) of all model files before loading. As a code-level workaround, replace the unsafe fallback pattern with a fail-closed approach: re-raise the UnpicklingError as a RuntimeError rather than retrying with weights_only=False. For environments requiring legacy NumPy-containing pretrain files, use PyTorch's add_safe_globals() API to allowlist only the specific required types rather than disabling all safety checks. Apply fixes to all six affected loader locations identified in the advisory (Stanza Advisory).

Réactions de la communauté

The vulnerability was reported by researcher RamiAltai and published by Stanza maintainer AngledLuffa on June 18, 2026, with a patch released promptly in version 1.12.2. No significant broader media coverage or notable community commentary beyond the GitHub advisory has been identified at this time (Stanza Advisory).

Ressources additionnelles


SourceCe rapport a été généré à l’aide de l’IA

Apparenté Python Vulnérabilités:

Identifiant CVE

Sévérité

Score

Technologies

Nom du composant

Exploit CISA KEV

A corrigé

Date de publication

CVE-2026-54527CRITICAL9.3
  • JavaScript logoJavaScript
  • jupyterlab-git
NonOuiJul 08, 2026
CVE-2026-55206HIGH8.7
  • Python logoPython
  • py7zr
NonOuiJul 08, 2026
CVE-2026-55195HIGH8.7
  • Python logoPython
  • python313-py7zr
NonOuiJul 08, 2026
CVE-2026-54499HIGH7.5
  • Python logoPython
  • stanza
NonOuiJul 08, 2026
CVE-2026-54528HIGH7.1
  • Python logoPython
  • jupyterlab-git
NonOuiJul 08, 2026

Évaluation gratuite des vulnérabilités

Évaluez votre posture de sécurité dans le cloud

Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.

Demander une évaluation

Obtenez une démo personnalisée

Prêt(e) à voir Wiz en action ?

"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
David EstlickRSSI
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
Adam FletcherChef du service de sécurité
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."
Greg PoniatowskiResponsable de la gestion des menaces et des vulnérabilités