Description
The snorkel library thru v0.10.0 contains an insecure deserialization vulnerability (CWE-502) in the Trainer.load() method of the Trainer class. The method loads model checkpoint files using torch.load() without enabling the security-restrictive weights_only=True parameter. This default behavior allows the deserialization of arbitrary Python objects via the Pickle module. A remote attacker can exploit this by providing a maliciously crafted model file, leading to arbitrary code execution on the victim's system when the file is loaded via the vulnerable method.
Published: 2026-05-12
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Snorkel library up to version 0.10.0 contains a flaw in the Trainer.load() method that uses torch.load() without the safety option weights_only=True. This omission allows the Pickle module to deserialize arbitrary Python objects, which an attacker can exploit by supplying a maliciously crafted model checkpoint. Executing Trainer.load on such a file yields arbitrary code execution on the host system, compromising confidentiality, integrity, and availability of the application.

Affected Systems

Any deployment of the Snorkel library that uses Trainer.load() with checkpoint files, specifically versions up to and including 0.10.0. The vulnerability exists in the library itself and does not depend on external framework versions beyond the documented torch dependency.

Risk and Exploitability

The EPSS score is not available, and the vulnerability is not listed in CISA KEV, but the inherent nature of insecure deserialization gives this issue a high potential for exploitation. An attacker can trigger the vulnerability by providing a crafted model file to a system that unconditionally loads checkpoints. Once the malicious file is processed, the attacker gains arbitrary code execution, making this a critical risk when untrusted checkpoints are accepted.

Generated by OpenCVE AI on May 12, 2026 at 17:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest version of the Snorkel library that implements weights_only=True in Trainer.load()
  • If upgrading immediately is not possible, modify the application to wrap torch.load() calls with a whitelist that rejects any object types other than expected model architecture data
  • Implement application‑level validation or cryptographic signing of model files to ensure only trusted checkpoints are accepted before invoking Trainer.load()

Generated by OpenCVE AI on May 12, 2026 at 17:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 18:15:00 +0000

Type Values Removed Values Added
Title Insecure Deserialization in Snorkel Trainer.load Leading to Remote Code Execution
Weaknesses CWE-502

Tue, 12 May 2026 16:00:00 +0000

Type Values Removed Values Added
Description The snorkel library thru v0.10.0 contains an insecure deserialization vulnerability (CWE-502) in the Trainer.load() method of the Trainer class. The method loads model checkpoint files using torch.load() without enabling the security-restrictive weights_only=True parameter. This default behavior allows the deserialization of arbitrary Python objects via the Pickle module. A remote attacker can exploit this by providing a maliciously crafted model file, leading to arbitrary code execution on the victim's system when the file is loaded via the vulnerable method.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-12T15:15:03.621Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31222

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-12T16:16:14.120

Modified: 2026-05-12T16:38:07.807

Link: CVE-2026-31222

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T18:00:12Z

Weaknesses