{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/stanza--1.12.1/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Stanza (\u003c= 1.12.1)","PyTorch (\u003c 2.6)"],"_cs_severities":["high"],"_cs_tags":["deserialization","rce","python","pytorch","machine-learning","supply-chain","cwe-502","nlp","ghsa"],"_cs_type":"advisory","_cs_vendors":["Stanford NLP","PyTorch"],"content_html":"\u003cp\u003eThe Stanza Natural Language Processing (NLP) library, specifically version 1.12.0 and earlier, is susceptible to an arbitrary code execution vulnerability (CVE-2026-54499) stemming from unsafe deserialization. When attempting to load PyTorch checkpoint files, Stanza's \u003ccode\u003etorch.load\u003c/code\u003e implementation initially uses a \u003ccode\u003eweights_only=True\u003c/code\u003e flag for safety. However, if this safe load raises a \u003ccode\u003epickle.UnpicklingError\u003c/code\u003e (a condition controllable by an attacker via a specially crafted \u003ccode\u003e.pt\u003c/code\u003e file containing an unsupported pickle global), Stanza immediately falls back to reloading the \u003cem\u003esame attacker-controlled file\u003c/em\u003e with \u003ccode\u003eweights_only=False\u003c/code\u003e. This completely bypasses PyTorch's safety mechanisms, invoking Python's full pickle deserializer, which can execute any \u003ccode\u003e__reduce__\u003c/code\u003e method embedded in the malicious file. The vulnerability affects any user, researcher, or NLP service loading Stanza models from untrusted or compromised sources, enabling full system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eAttacker Crafts Malicious Model\u003c/strong\u003e: An attacker prepares a malicious PyTorch \u003ccode\u003e.pt\u003c/code\u003e file, embedding arbitrary Python code in its \u003ccode\u003e__reduce__\u003c/code\u003e method and including at least one unsupported pickle global to force an \u003ccode\u003eUnpicklingError\u003c/code\u003e during safe loading.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eModel Placement/Distribution\u003c/strong\u003e: The attacker places this malicious \u003ccode\u003e.pt\u003c/code\u003e file on a system or repository where it can be loaded by a victim (e.g., via supply-chain compromise of a model repository like HuggingFace, poisoning a shared model cache, or distributing it through third-party fine-tuning hubs).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVictim Initiates Model Load\u003c/strong\u003e: A victim's application, CI/CD pipeline, or research environment uses the Stanza API (\u003ccode\u003estanza.Pipeline()\u003c/code\u003e, \u003ccode\u003eload_pretrain()\u003c/code\u003e) to load a pretrain or model file, unknowingly targeting the malicious \u003ccode\u003e.pt\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Safe Load Attempt\u003c/strong\u003e: Stanza's internal \u003ccode\u003ePretrain.load()\u003c/code\u003e function attempts to load the \u003ccode\u003e.pt\u003c/code\u003e file using \u003ccode\u003etorch.load(..., weights_only=True)\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUnpicklingError Triggered\u003c/strong\u003e: Due to the attacker-controlled unsupported pickle global, PyTorch raises a \u003ccode\u003epickle.UnpicklingError\u003c/code\u003e as intended by its \u003ccode\u003eweights_only=True\u003c/code\u003e safety feature.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUnsafe Fallback Invoked\u003c/strong\u003e: Stanza's vulnerable \u003ccode\u003etry...except\u003c/code\u003e block catches the \u003ccode\u003eUnpicklingError\u003c/code\u003e and immediately reloads the \u003cem\u003esame malicious file\u003c/em\u003e using \u003ccode\u003etorch.load(..., weights_only=False)\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eArbitrary Code Execution\u003c/strong\u003e: Python's full pickle deserializer executes the attacker's arbitrary code embedded within the malicious \u003ccode\u003e.pt\u003c/code\u003e file's \u003ccode\u003e__reduce__\u003c/code\u003e method, with the privileges of the Stanza process.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact Achieved\u003c/strong\u003e: The attacker's payload executes, leading to consequences such as credential theft (HuggingFace tokens, cloud IAM keys), installation of persistent backdoors, data exfiltration, or lateral movement within the victim's infrastructure.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability, classified as CWE-502 (Deserialization of Untrusted Data), has severe consequences for any user, researcher, CI/CD pipeline, or production NLP service that loads a Stanza model pretrain file from sources not under exclusive cryptographic control. Attackers who can place a malicious \u003ccode\u003e.pt\u003c/code\u003e file can achieve arbitrary code execution with the full privileges of the process running \u003ccode\u003estanza.Pipeline()\u003c/code\u003e. This can be a developer workstation, a Jupyter notebook server, or a GPU training node, potentially leading to credential theft (e.g., HuggingFace tokens, cloud IAM keys from environment variables), persistent backdoors, data exfiltration, and lateral movement in multi-tenant training infrastructure. The vulnerability affects Stanza versions up to and including 1.12.1.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Stanza to a patched version immediately (version 1.12.2 or higher) to mitigate CVE-2026-54499, which removes the unsafe fallback for \u003ccode\u003epickle.UnpicklingError\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eReview and ensure all Stanza loaders, including those in \u003ccode\u003estanza/models/common/pretrain.py\u003c/code\u003e, \u003ccode\u003estanza/models/coref/model.py\u003c/code\u003e, \u003ccode\u003estanza/models/classifiers/trainer.py\u003c/code\u003e, and \u003ccode\u003estanza/models/constituency/base_trainer.py\u003c/code\u003e, have the unsafe fallback removed.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to detect suspicious process creation and file modifications indicative of successful exploitation of CVE-2026-54499.\u003c/li\u003e\n\u003cli\u003eEnable comprehensive logging for \u003ccode\u003eprocess_creation\u003c/code\u003e and \u003ccode\u003efile_event\u003c/code\u003e on Linux and Windows systems where Stanza is used.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-19T19:36:57Z","date_published":"2026-06-19T19:36:57Z","id":"https://feed.craftedsignal.io/briefs/2026-06-stanza-rce/","summary":"Stanza, an NLP library, is vulnerable to remote code execution (CVE-2026-54499) due to an unsafe fallback mechanism when loading PyTorch model files, allowing an attacker who can place a malicious pretrain or model file to achieve arbitrary code execution on systems processing NLP pipelines, leading to credential theft, backdoors, data exfiltration, and lateral movement.","title":"Stanza: Remote Code Execution via Unsafe Pickle Deserialization in Model Loaders","url":"https://feed.craftedsignal.io/briefs/2026-06-stanza-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - Stanza (\u003c= 1.12.1)","version":"https://jsonfeed.org/version/1.1"}