CVE-2025-57622 is a remote code execution (RCE) vulnerability identified in the Step-Video-T2V software, a tool likely involved in video processing or AI-based video transformation. The vulnerability stems from the unsafe use of Python's pickle.loads function on data received via the /vae-api and /caption-api endpoints. Specifically, the application deserializes incoming request data without proper validation or sanitization, allowing an attacker to craft malicious serialized objects that, when deserialized, execute arbitrary code on the server. This type of vulnerability is particularly dangerous because pickle deserialization can execute arbitrary Python code, making it a common vector for RCE attacks. The vulnerability does not have a CVSS score assigned yet, and no patches or known exploits are currently reported. The affected versions are unspecified, indicating that the issue may be present in all current releases of Step-Video-T2V. Exploitation requires an attacker to send a specially crafted request to one of the vulnerable API endpoints, potentially without needing authentication or user interaction, depending on the deployment environment. This vulnerability can lead to full system compromise, data theft, service disruption, or use of the compromised system as a foothold for further attacks.

The impact of CVE-2025-57622 is severe for organizations using Step-Video-T2V, as it allows remote attackers to execute arbitrary code on affected systems. This can lead to complete compromise of the server hosting the application, resulting in unauthorized access to sensitive data, disruption of video processing services, and potential lateral movement within the network. The vulnerability threatens confidentiality by exposing data processed by the application, integrity by allowing attackers to alter or inject malicious content, and availability by enabling denial-of-service or ransomware attacks. Given that the vulnerability is remotely exploitable and does not appear to require authentication or user interaction, the attack surface is broad. Organizations relying on Step-Video-T2V for critical video or AI workloads may face operational downtime, reputational damage, and regulatory consequences if exploited. The lack of available patches increases the urgency for interim mitigations.

To mitigate CVE-2025-57622, organizations should immediately restrict access to the /vae-api and /caption-api endpoints by implementing network-level controls such as firewalls or VPNs to limit exposure to trusted users only. Disable or remove the use of pickle.loads for deserializing untrusted input; if deserialization is necessary, replace pickle with safer serialization formats like JSON or use secure deserialization libraries that enforce strict type whitelisting. Monitor application logs and network traffic for unusual or malformed requests targeting these APIs. Employ runtime application self-protection (RASP) or web application firewalls (WAF) with custom rules to detect and block suspicious payloads. Conduct a thorough audit of all Step-Video-T2V deployments to identify vulnerable instances and isolate them until patches or updates become available. Engage with the vendor or open-source community for updates or patches. Additionally, implement robust endpoint detection and response (EDR) solutions to detect post-exploitation activities.