CVE-2025-57622 is a critical vulnerability identified in the Step-Video-T2V software, specifically within its /vae-api and /caption-api endpoints. The root cause is the unsafe use of Python's pickle.loads function to deserialize data received from HTTP requests without proper validation or sanitization. This unsafe deserialization (CWE-502) allows remote attackers to craft malicious payloads that, when deserialized by the server, execute arbitrary code with the same privileges as the application. The vulnerability requires no authentication or user interaction and can be exploited remotely over the network, making it highly accessible to attackers. The CVSS 3.1 base score of 9.8 reflects the critical nature of this flaw, with high impact on confidentiality, integrity, and availability. Despite the absence of known exploits in the wild, the vulnerability poses a severe risk due to the common use of pickle for serialization and the ease of exploitation. No specific affected versions are listed, implying the issue may affect all current deployments of Step-Video-T2V using these APIs. The lack of available patches increases urgency for organizations to implement mitigations. This vulnerability exemplifies the dangers of deserializing untrusted data and highlights the need for secure coding practices in handling serialized input.

The impact of CVE-2025-57622 is severe for organizations worldwide using Step-Video-T2V. Successful exploitation results in remote code execution, allowing attackers to fully compromise affected systems. This can lead to data breaches, system manipulation, deployment of malware or ransomware, lateral movement within networks, and complete loss of service availability. Confidential information processed or stored by Step-Video-T2V can be exfiltrated or altered, damaging organizational reputation and causing regulatory compliance violations. The vulnerability’s ease of exploitation and lack of required privileges make it attractive for attackers, increasing the likelihood of targeted attacks or automated exploitation campaigns once exploits become available. Organizations relying on Step-Video-T2V for video processing or captioning services face operational disruptions and potential financial losses. The absence of patches further exacerbates the risk, necessitating immediate defensive actions to prevent compromise.

To mitigate CVE-2025-57622, organizations should immediately restrict access to the /vae-api and /caption-api endpoints by implementing network-level controls such as firewalls or VPNs to limit exposure to trusted users only. Disable or remove the use of pickle.loads for deserialization of untrusted input; replace it with safer serialization libraries like JSON or use secure deserialization frameworks that enforce strict type whitelisting. Employ input validation and sanitization to reject unexpected or malformed data before processing. Monitor network traffic and application logs for unusual or suspicious requests targeting these APIs. If possible, isolate the Step-Video-T2V service in a sandboxed environment or container with minimal privileges to limit the impact of a potential compromise. Stay alert for official patches or updates from the vendor and apply them promptly once available. Additionally, conduct regular security assessments and penetration testing focused on deserialization vulnerabilities. Implement application-layer authentication and authorization to restrict API usage, even if the vulnerability itself does not require authentication.