CVE-2025-58755: 
Python vulnerability analysis and mitigation

MONAI (Medical Open Network for AI), an AI toolkit for healthcare imaging, has been identified with a critical path traversal vulnerability (CVE-2025-58755) discovered on September 8, 2025. The vulnerability affects all versions up to and including 1.5.0, where the extractall function (zip_file.extractall(output_dir)) is used to process compressed files without proper security checks (GitHub Advisory).

The vulnerability stems from improper limitation of pathname to a restricted directory (CWE-22), allowing path traversal attacks. The issue occurs when the extractall function processes compressed files without proper validation. The vulnerability has received a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and high impact on confidentiality, integrity, and availability (GitHub Advisory).

When exploited, this vulnerability allows attackers to overwrite system files through malicious zip content. The impact is particularly severe as the project enables zip content download through links, expanding the exploitation scope. Attackers could potentially write malicious files anywhere on the system, including SSH keys or boot-time execution files, leading to service disruption or system compromise (GitHub Advisory).

As of the publication date, no fixed versions are available. The recommended mitigation is to check the contents of downloaded zip files before extraction or implement safer methods for loading zip content (GitHub Advisory).