Description
The snorkel library thru v0.10.0 contains a critical insecure deserialization vulnerability (CWE-502) in the BaseLabeler.load() method of the BaseLabeler class. The method loads serialized labeler models using the unsafe pickle.load() function on user-supplied file paths without any validation or security controls. Python's pickle module is inherently dangerous for deserializing untrusted data, as it can execute arbitrary code during the deserialization process. A remote attacker can exploit this by providing a maliciously crafted pickle file, leading to arbitrary code execution on the victim's system when the file is loaded via the vulnerable method.
Published: 2026-05-12
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Snorkel library up to version 0.10.0 implements the BaseLabeler.load() method by calling Python's pickle.load on file paths supplied by the caller. Pickle deserializes objects without verifying their origin, allowing the execution of arbitrary code during unpickling. This flaw is classified as CWE‑502. A maliciously crafted pickle file, when loaded with the vulnerable method, can execute attacker provided code on the system running the library.

Affected Systems

All installations of the Snorkel machine learning library whose version is 0.10.0 or earlier. Systems that use the BaseLabeler.load() routine to ingest pre‑trained labeler models are affected. Updating to a newer release that removes the unsafe pickle usage eliminates the vulnerability.

Risk and Exploitability

The vulnerability permits arbitrary code execution on the host executing the untrusted pickle file. No remote network vector is explicitly defined in the advisory, but an attacker can trigger the flaw by delivering a malicious file to any process calling BaseLabeler.load(). The CVSS score of 8.8 indicates a high severity, and the EPSS score of < 1% shows a low current exploitation likelihood. The issue is not listed in CISA’s KEV catalog, yet the flaw directly leads to full system compromise.

Generated by OpenCVE AI on May 13, 2026 at 17:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Snorkel to a version newer than 0.10.0 that replaces BaseLabeler.load() with a safe deserialization mechanism.
  • If an upgrade is not possible, remove or replace any use of BaseLabeler.load() in your codebase; instead use alternative loading techniques that avoid pickle, such as JSON or a custom, validated format.
  • When deserialization is unavoidable, limit the source of pickle files to a strictly trusted directory, enforce strict path validation, and run the loading process within a restricted container or user context to contain potential exploitation.

Generated by OpenCVE AI on May 13, 2026 at 17:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fq92-qc8f-482v Snorkel BaseLabeler.load uses an unsafe pickle.load
History

Sun, 17 May 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Snorkel-team
Snorkel-team snorkel
Vendors & Products Snorkel-team
Snorkel-team snorkel

Fri, 15 May 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 13 May 2026 17:45:00 +0000

Type Values Removed Values Added
Title Critical Insecure Deserialization in Snorkel BaseLabeler

Wed, 13 May 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Snorkel
Snorkel snorkel
CPEs cpe:2.3:a:snorkel:snorkel:*:*:*:*:*:*:*:*
Vendors & Products Snorkel
Snorkel snorkel
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Tue, 12 May 2026 18:15:00 +0000

Type Values Removed Values Added
Title Critical Insecure Deserialization in Snorkel BaseLabeler
Weaknesses CWE-502

Tue, 12 May 2026 16:00:00 +0000

Type Values Removed Values Added
Description The snorkel library thru v0.10.0 contains a critical insecure deserialization vulnerability (CWE-502) in the BaseLabeler.load() method of the BaseLabeler class. The method loads serialized labeler models using the unsafe pickle.load() function on user-supplied file paths without any validation or security controls. Python's pickle module is inherently dangerous for deserializing untrusted data, as it can execute arbitrary code during the deserialization process. A remote attacker can exploit this by providing a maliciously crafted pickle file, leading to arbitrary code execution on the victim's system when the file is loaded via the vulnerable method.
References

Subscriptions

Snorkel Snorkel
Snorkel-team Snorkel
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-15T18:05:33.607Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31223

cve-icon Vulnrichment

Updated: 2026-05-15T17:23:35.514Z

cve-icon NVD

Status : Modified

Published: 2026-05-12T16:16:14.223

Modified: 2026-05-15T19:16:57.800

Link: CVE-2026-31223

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-17T19:42:39Z

Weaknesses