| Titel | Yash Bhalgat HashNeRF-pytorch Affected: repository version up to commit c49502ff492abca6243505961f1aa312 CWE-502 Deserialization of Untrusted Data |
|---|
| Beschreibung | A vulnerability was found in HashNeRF-pytorch up to commit c49502ff492abca6243505961f1aa312 and classified as high severity.
Affected is the checkpoint loading logic in run_nerf.py. The application selects a checkpoint either from the user supplied --ft_path argument or by automatically discovering files containing "tar" in the derived experiment log directory. The selected file is then loaded with torch.load(ckpt_path) without validating the artifact source, integrity, signature, or using a constrained safe-loading mode.
On PyTorch versions or configurations where torch.load() performs pickle-backed deserialization for the checkpoint file, a crafted checkpoint can execute arbitrary code during deserialization before the later checkpoint dictionary fields or model state are validated.
The attack is not directly network reachable in the default repository. The attacker must cause the victim process to load an attacker-controlled checkpoint, for example by convincing a user to pass a malicious checkpoint through --ft_path, by placing or replacing a .tar checkpoint in a shared experiment/log directory, or by poisoning an automated training/CI artifact source.
Authentication required: no for malicious checkpoint delivery to a user; low local privileges may be required when exploiting a shared writable checkpoint directory.
User interaction required: yes in the common third-party checkpoint loading scenario; no if an automated workflow reloads attacker-controlled artifacts.
Technical Details
- Affected file/function: run_nerf.py / create_nerf checkpoint reload block
- Vulnerable operation: torch.load(ckpt_path)
- Vulnerable input: checkpoint file selected through --ft_path or auto-discovered under basedir/expname
- Attack vector: Local / supply-chain artifact
- Privileges required: Low in shared-directory scenarios; None when a user voluntarily loads an attacker-supplied checkpoint
- Trigger condition: the victim runs python run_nerf.py without --no_reload and the selected checkpoint path points to a malicious PyTorch checkpoint artifact
Impact
- Confidentiality: High. Code runs with the privileges of the training process and may read datasets, model weights, environment variables, API tokens, SSH keys, cloud credentials, and logs.
- Integrity: High. The attacker may modify files, model checkpoints, training outputs, or implant backdoors in artifacts.
- Availability: High. The attacker may delete files, terminate jobs, or consume resources.
CVSS v3.1
Score: 7.3 (High)
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Timeline
- Discovered: 2026-06-10
- Vendor notified: 2026-06-10
- Patch released: [unknown]
- Public disclosure: 2026-06-10
Countermeasure
Avoid loading untrusted checkpoint files. Use PyTorch safe-loading options where available, such as an explicit weights_only mode compatible with the supported PyTorch version. Restrict accepted checkpoint paths and extensions, verify checkpoint integrity or signatures for external artifacts, and document that checkpoint files must be treated as executable/untrusted input unless verified. |
|---|
| Quelle | ⚠️ https://github.com/yashbhalgat/HashNeRF-pytorch/issues/49 |
|---|
| Benutzer | Dem0000000 (UID 98743) |
|---|
| Einreichung | 10.06.2026 09:18 (vor 1 Monat) |
|---|
| Moderieren | 12.07.2026 17:56 (1 month later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 377874 [yashbhalgat HashNeRF-pytorch bis 82885e698295982504eb6a26d060a6b2473e3706 Checkpoint File run_nerf.py torch.load ckpt_path erweiterte Rechte] |
|---|
| Punkte | 20 |
|---|