Skip to content

Vulnerability: Risk of arbitrary code execution via untrusted data deserialization in torch.load (CWE-502) #29

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ybdesire opened this issue Apr 21, 2025 · 0 comments
Open

Vulnerability: Risk of arbitrary code execution via untrusted data deserialization in torch.load (CWE-502) #29

ybdesire opened this issue Apr 21, 2025 · 0 comments

Comments

@ybdesire
Copy link

Description

This code contains a vulnerability of type CWE - 502: Deserialization of Untrusted Data. The torch.load function is used to load data from a file specified by the path parameter. However, it does not include the weights_only=True parameter.

impacted code

Freeze-Omni/models/utils.py

Line 13 in 9cb0c35

checkpoint = torch.load(path)

Freeze-Omni/models/utils.py

Line 16 in 9cb0c35

checkpoint = torch.load(path, map_location='cpu')

The torch.load function deserializes the data from the file. If the file contains malicious pickle data, it can lead to the execution of arbitrary code during the deserialization process. This is a serious security risk because an attacker could craft a malicious file and trick the system into loading it, potentially gaining unauthorized access to the system or causing other malicious actions.

Exploit

An attacker can create a malicious file with crafted pickle data. The malicious data can be designed to execute arbitrary code when deserialized by the torch.load function.

To exploit this vulnerability, the attacker first creates a malicious file containing the malicious pickle data. Then, the attacker needs to find a way to make the victim's system load this malicious file. This could be achieved by tricking the victim into providing the path to the malicious file as the path parameter when calling the load_checkpoint function.

Once the load_checkpoint function is called with the path to the malicious file, the torch.load function will deserialize the data in the file. Since the weights_only=True parameter is not used, the malicious pickle data will be executed, allowing the attacker to gain unauthorized access to the system or perform other malicious actions.

To mitigate this vulnerability, the weights_only=True parameter should be added when calling the torch.load function to ensure that only model weights are loaded and prevent the execution of arbitrary code. For example:

checkpoint = torch.load(path, weights_only=True)

or

checkpoint = torch.load(path, map_location='cpu', weights_only=True)

Impacted Version

All versions are affected by this vulnerability, and there is no fix for it on the current latest main branch.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ybdesire