Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Local because exploitation requires the victim to load a malicious checkpoint file (AV:L/UI:R); no privileges needed (PR:N), and arbitrary code execution yields full C/I/A impact.
Primary rating from Vendor (zdi).
CVSS VectorVendor: zdi
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
MosaicML Composer Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MosaicML Composer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the parsing of checkpoints. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27990.
AnalysisAI
Arbitrary code execution in MosaicML Composer arises when the library loads a model or resumption checkpoint, because checkpoint parsing deserializes attacker-controlled pickle data without validation (CWE-502). A user who loads a maliciously crafted checkpoint (.pt) file - for example one downloaded from a model hub or shared by a collaborator - runs arbitrary Python code in the context of the training process. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the victim to load an attacker-controlled checkpoint file through Composer's checkpoint loading path - specifically the resumption checkpoint loader (load_resumption_checkpoint, which used pickle.load) or the general torch.load path that used weights_only=False. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.0 base score is 7.8 (High) with vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H - local attack vector, low complexity, no privileges, but requiring user interaction, with full confidentiality/integrity/availability impact at unchanged scope. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker publishes a backdoored model checkpoint on a public model hub or sends it to an ML engineer as 'pretrained weights' or a 'resume training' file. When the victim calls Composer's checkpoint loading on that file, the embedded pickle payload (e.g. … |
| Remediation | Upstream fix available (PR/commit); a released patched version is not independently confirmed from the available data - track the MosaicML Composer release that incorporates commit 6405188805a0054b4551ec49e4919c54c971d0e8, which replaces unguarded pickle.load with a _RestrictedUnpickler allowlist and switches torch.load to weights_only=True with torch.serialization.safe_globals(). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 HOURS: Identify all systems running MosaicML Composer; restrict checkpoint loading to internally-controlled sources and audit recent checkpoint origins. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Composer is a dependency manager for PHP. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, lo
The tagDiv Composer WordPress plugin before 4.0 does not sanitise and escape a parameter before outputting it back in th
Composer is an open source dependency manager for the PHP language. Rated critical severity (CVSS 9.8), this vulnerabili
Composer is a dependency manager for PHP. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, lo
Composer is a dependency manager for the PHP programming language. Rated high severity (CVSS 8.8), this vulnerability is
Arbitrary file write in Composer (the PHP dependency manager) before 2.2.29 and 2.10.2 allows a malicious package served
The tagDiv Composer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcodes in all ver
Path traversal in Composer's binary installation flow allows a malicious PHP package to cause arbitrary host files to be
vulnerability in Drupal Composer allows . This issue affects Composer versions: *.*.
Credential leakage in Composer PHP dependency manager exposes sensitive tokens - such as GitHub Personal Access Tokens e
Same weakness CWE-502 – Deserialization of Untrusted Data
View allSame technique Deserialization
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39110
GHSA-cv8h-j5cx-fg4f