EXECUTIVE SUMMARY:
CVE-2026-54499 with a CVSS score of 7.5 is a remote code execution vulnerability in the Stanza natural language processing library, specifically in versions of the stanza package <= 1.12.1, which allows an attacker to execute arbitrary code on a machine that loads a Stanza NLP pipeline. The vulnerability occurs due to the unsafe deserialization of untrusted data when loading PyTorch checkpoint files, where the library falls back to an unsafe load method if the safe load raises a pickle.UnpicklingError, which can be triggered by an attacker-controlled file containing a single unsupported pickle global. An attacker who can place a malicious pretrain or model file on disk, via supply-chain compromise, a poisoned model repository, or a shared model cache, can exploit this vulnerability by embedding an unsupported pickle global in an otherwise structurally valid Stanza pretrain state dict, allowing them to gain arbitrary code execution capabilities on the affected machine. If exploited, this vulnerability can have significant business impact and consequences, including data breaches, lateral movement, and further malicious activities, and it requires the attacker to have the ability to place a malicious file on disk and for the vulnerable Stanza library to load the malicious model file.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-54499 with a CVSS score of 7.5 is a remote code execution vulnerability in the Stanza natural language processing library, specifically in versions of the stanza package <= 1.12.1, which allows an attacker to execute arbitrary code on a machine that loads a Stanza NLP pipeline. The vulnerability occurs due to the unsafe deserialization of untrusted data when loading PyTorch checkpoint files, where the library falls back to an unsafe load method if the safe load raises a pickle.UnpicklingError, which can be triggered by an attacker-controlled file containing a single unsupported pickle global. An attacker who can place a malicious pretrain or model file on disk, via supply-chain compromise, a poisoned model repository, or a shared model cache, can exploit this vulnerability by embedding an unsupported pickle global in an otherwise structurally valid Stanza pretrain state dict, allowing them to gain arbitrary code execution capabilities on the affected machine. If exploited, this vulnerability can have significant business impact and consequences, including data breaches, lateral movement, and further malicious activities, and it requires the attacker to have the ability to place a malicious file on disk and for the vulnerable Stanza library to load the malicious model file.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update stanza to version 1.12.2.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-v5jw-96jm-7h2c