Vulnerability: CWE-502 - Untrusted Data Deserialization via torch.load Without weights_only=True

[ybdesire]

Description

The code snippet uses the torch.load function to load data without specifying the weights_only=True parameter. This function is used to deserialize data, and when it loads untrusted data, it may lead to the execution of arbitrary code during the deserialization process. Since the source of the data loaded by torch.load is not verified, there is a risk that malicious pickle data can be used to exploit this vulnerability.

https://github.com/FunAudioLLM/InspireMusic/blob/455f99a0ba6fdfe2e4d00249c095fc76ecbbd42d/inspiremusic/cli/model.py#L84

https://github.com/FunAudioLLM/InspireMusic/blob/455f99a0ba6fdfe2e4d00249c095fc76ecbbd42d/inspiremusic/cli/model.py#L89

Exploit

An attacker can create a malicious file containing crafted pickle data. When the torch.load function in the given code loads this malicious file, the deserialization process will execute the arbitrary code embedded in the pickle data. This can lead to various security issues, such as unauthorized access to the system, data leakage, or modification of system settings.

Impacted

All versions of the code that use the torch.load function without the weights_only=True parameter to load untrusted data are affected.

[iris2c]

Description

The code snippet uses the torch.load function to load data without specifying the weights_only=True parameter. This function is used to deserialize data, and when it loads untrusted data, it may lead to the execution of arbitrary code during the deserialization process. Since the source of the data loaded by torch.load is not verified, there is a risk that malicious pickle data can be used to exploit this vulnerability.

InspireMusic/inspiremusic/cli/model.py

Line 84 in 455f99a

self.llm.load_state_dict(torch.load(llm_model, map_location=self.device))
InspireMusic/inspiremusic/cli/model.py

Line 89 in 455f99a

self.flow.load_state_dict(torch.load(flow_model, map_location=self.device))

Exploit

An attacker can create a malicious file containing crafted pickle data. When the torch.load function in the given code loads this malicious file, the deserialization process will execute the arbitrary code embedded in the pickle data. This can lead to various security issues, such as unauthorized access to the system, data leakage, or modification of system settings.

Impacted

All versions of the code that use the torch.load function without the weights_only=True parameter to load untrusted data are affected.

Thank you for your comments. The code has been updated accordingly.