Skip to main content

MosaicML Composer CVE-2026-10043

| EUVDEUVD-2026-39110 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-06-24 zdi GHSA-cv8h-j5cx-fg4f
7.8
CVSS 3.0 · Vendor: zdi
Share

Severity by source

Vendor (zdi) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Local because exploitation requires the victim to load a malicious checkpoint file (AV:L/UI:R); no privileges needed (PR:N), and arbitrary code execution yields full C/I/A impact.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (zdi).

CVSS VectorVendor: zdi

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 24, 2026 - 22:24 vuln.today
Analysis Generated
Jun 24, 2026 - 22:24 vuln.today

DescriptionCVE.org

MosaicML Composer Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MosaicML Composer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the parsing of checkpoints. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27990.

AnalysisAI

Arbitrary code execution in MosaicML Composer arises when the library loads a model or resumption checkpoint, because checkpoint parsing deserializes attacker-controlled pickle data without validation (CWE-502). A user who loads a maliciously crafted checkpoint (.pt) file - for example one downloaded from a model hub or shared by a collaborator - runs arbitrary Python code in the context of the training process. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft checkpoint with malicious pickle __reduce__ payload
Delivery
Distribute via model hub or direct share
Exploit
Victim loads checkpoint in Composer
Execution
Pickle deserialization invokes attacker callable
Impact
Execute arbitrary code as training process

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to load an attacker-controlled checkpoint file through Composer's checkpoint loading path - specifically the resumption checkpoint loader (load_resumption_checkpoint, which used pickle.load) or the general torch.load path that used weights_only=False. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.0 base score is 7.8 (High) with vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H - local attack vector, low complexity, no privileges, but requiring user interaction, with full confidentiality/integrity/availability impact at unchanged scope. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker publishes a backdoored model checkpoint on a public model hub or sends it to an ML engineer as 'pretrained weights' or a 'resume training' file. When the victim calls Composer's checkpoint loading on that file, the embedded pickle payload (e.g. …
Remediation Upstream fix available (PR/commit); a released patched version is not independently confirmed from the available data - track the MosaicML Composer release that incorporates commit 6405188805a0054b4551ec49e4919c54c971d0e8, which replaces unguarded pickle.load with a _RestrictedUnpickler allowlist and switches torch.load to weights_only=True with torch.serialization.safe_globals(). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 HOURS: Identify all systems running MosaicML Composer; restrict checkpoint loading to internally-controlled sources and audit recent checkpoint origins. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2021-29472 HIGH POC
8.8 Apr 27

Composer is a dependency manager for PHP. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, lo

CVE-2023-1596 MEDIUM POC
6.1 May 15

The tagDiv Composer WordPress plugin before 4.0 does not sanitise and escape a parameter before outputting it back in th

CVE-2021-41116 CRITICAL
9.8 Oct 05

Composer is an open source dependency manager for the PHP language. Rated critical severity (CVSS 9.8), this vulnerabili

CVE-2023-43655 HIGH
8.8 Sep 29

Composer is a dependency manager for PHP. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, lo

CVE-2022-24828 HIGH
8.8 Apr 13

Composer is a dependency manager for the PHP programming language. Rated high severity (CVSS 8.8), this vulnerability is

CVE-2026-59948 HIGH
7.0 Jul 08

Arbitrary file write in Composer (the PHP dependency manager) before 2.2.29 and 2.10.2 allows a malicious package served

CVE-2025-3510 MEDIUM
6.4 May 02

The tagDiv Composer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcodes in all ver

CVE-2026-59946 MEDIUM
6.1 Jul 08

Path traversal in Composer's binary installation flow allows a malicious PHP package to cause arbitrary host files to be

CVE-2026-11914 MEDIUM
5.9 Jul 10

vulnerability in Drupal Composer allows . This issue affects Composer versions: *.*.

CVE-2026-59947 MEDIUM
4.7 Jul 08

Credential leakage in Composer PHP dependency manager exposes sensitive tokens - such as GitHub Personal Access Tokens e

Share

CVE-2026-10043 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy