CVE-2025-51427 — ModelScope is vulnerable to arbitrary code injection via a crafted module

Description

An issue was discovered in ModelScope 1.25.0 allowing attackers to execute arbitrary code via crafted module listed in the configuration file (dey_mini.yaml) under the key ['nnet']['module'].

How to fix CVE-2025-51427

To remediate CVE-2025-51427, upgrade the affected package to a fixed version below.

PyPI/modelscope—upgrade to 1.27.0 or later

Is CVE-2025-51427 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2025-51427.

Affected packages (1)

from 0, < 1.27.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-51427
PATCHgithub.com/modelscope/modelscope
WEBgithub.com/JIRUWOZHI/vulnerability-disclosure/blob/main/CVE-2025-51427/CVE_2025_51427.md
WEBgithub.com/modelscope/modelscope/commit/75d54927e112261d39598ca08c15b66a7ff3f735