CRITICAL 9.8

GHSA-pq2f-x424-6fjm

mamba language model framework vulnerable to insecure deserialization when loading pre-trained models from HuggingFace Hub

Details

The mamba language model framework thru 2.2.6 is vulnerable to insecure deserialization (CWE-502) when loading pre-trained models from HuggingFace Hub. The MambaLMHeadModel.from_pretrained() method uses torch.load() to load the pytorch_model.bin weight file without enabling the security-restrictive weights_only=True parameter. This allows the deserialization of arbitrary Python objects via the pickle module. An attacker can exploit this by publishing a malicious model repository on HuggingFace Hub. When a victim loads a model from this repository, arbitrary code is executed on the victim's system in the context of the mamba process.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / mamba-ssm

Introduced in: 0

No fixed version published yet for mamba-ssm (pip). Pin to a known-safe version or switch to an alternative.

References

https://nvd.nist.gov/vuln/detail/CVE-2026-31239 [ADVISORY]
https://github.com/state-spaces/mamba [PACKAGE]
https://www.notion.so/CVE-2026-31239-35d1e1393188810d9baedfbd8363f396 [WEB]