
PEACH
Un cadre d’isolation des locataires
CVE-2026-54499 is a remote code execution vulnerability in Stanford NLP's Stanza library caused by unsafe pickle deserialization in model loaders. Stanza versions ≤ 1.12.1 attempt to safely load PyTorch checkpoint files using torch.load(..., weights_only=True), but automatically fall back to the fully unsafe torch.load(..., weights_only=False) when a pickle.UnpicklingError is raised — a condition that is fully attacker-controllable. The vulnerability was published on June 18, 2026, by researcher RamiAltai and added to the GitHub Advisory Database on June 19, 2026. It carries a CVSS v3.1 base score of 7.5 (High) (GitHub Advisory, Stanza Advisory).
The root cause is classified as CWE-502 (Deserialization of Untrusted Data) and CWE-676 (Use of Potentially Dangerous Function). The vulnerable pattern exists in at least six locations across Stanza 1.12.0: stanza/models/common/pretrain.py (lines 64–66), stanza/models/coref/model.py (lines 251–253, 329–331), stanza/models/classifiers/trainer.py (lines 80–82), stanza/models/constituency/base_trainer.py (lines 94–96), and stanza/models/lemma_classifier/base_model.py (line 127, which omits weights_only entirely, defaulting to False on PyTorch < 2.6). An attacker crafts a structurally valid Stanza pretrain state dict (.pt file) containing a single unsupported pickle global (e.g., builtins.open); the safe load raises UnpicklingError, and the fallback invokes Python's full pickle deserializer, executing any __reduce__ method without restriction. A working proof-of-concept exploit script is publicly available in the advisory (Stanza Advisory).
Successful exploitation grants arbitrary code execution with the full privileges of the process running stanza.Pipeline(), which is commonly a developer workstation, Jupyter notebook server, or GPU training node. An attacker can steal credentials (HuggingFace tokens, cloud IAM keys stored in environment variables), install persistent backdoors, exfiltrate sensitive data, and perform lateral movement within multi-tenant training infrastructure. All three pillars of security are fully compromised: confidentiality, integrity, and availability are each rated High (GitHub Advisory).
.pt file: Build a structurally valid Stanza pretrain state dict containing an embedded malicious object with a __reduce__ method (e.g., builtins.open or a reverse shell payload). Embed one unsupported pickle global to guarantee UnpicklingError on safe load. Use torch.save(state, '/path/to/malicious.pt') to serialize the file..pt file at a path Stanza will load — by compromising a HuggingFace model repository hosting Stanza pretrain weights, poisoning a shared model cache directory, or distributing the file via a third-party fine-tuning hub.stanza.Pipeline(lang='en')), the load_pretrain() API calls torch.load(..., weights_only=True), which raises UnpicklingError due to the embedded unsupported global. Stanza's except UnpicklingError block then calls torch.load(..., weights_only=False), invoking the full pickle deserializer.__reduce__ method in the malicious object executes arbitrary code with the privileges of the Stanza process, enabling credential theft, reverse shell establishment, data exfiltration, or persistence (Stanza Advisory)./tmp/ or other writable directories during model loading; new or modified files in the Stanza model cache directory (typically ~/stanza_resources/) that do not match expected checksums; presence of web shells, cron jobs, or backdoor scripts created by the Python process.bash, curl, wget, nc, python -c) during or immediately after model loading; unexpected network connections originating from the Stanza/Python process.pickle.UnpicklingError followed immediately by successful model load completion (indicating the unsafe fallback fired); unexpected access to environment variables (e.g., HUGGING_FACE_HUB_TOKEN, AWS credentials) by the Stanza process.Upgrade Stanza to version 1.12.2 or later, which is the patched release that addresses this vulnerability (GitHub Advisory). If upgrading immediately is not possible, avoid loading .pt model files from untrusted or unverified sources, and enforce cryptographic verification (e.g., checksums or signatures) of all model files before loading. As a code-level workaround, replace the unsafe fallback pattern with a fail-closed approach: re-raise the UnpicklingError as a RuntimeError rather than retrying with weights_only=False. For environments requiring legacy NumPy-containing pretrain files, use PyTorch's add_safe_globals() API to allowlist only the specific required types rather than disabling all safety checks. Apply fixes to all six affected loader locations identified in the advisory (Stanza Advisory).
The vulnerability was reported by researcher RamiAltai and published by Stanza maintainer AngledLuffa on June 18, 2026, with a patch released promptly in version 1.12.2. No significant broader media coverage or notable community commentary beyond the GitHub advisory has been identified at this time (Stanza Advisory).
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."