Enviar #552245: xorbitsai inference 0.15.0 to 1.4.1 Deserializationinformación

Títuloxorbitsai inference 0.15.0 to 1.4.1 Deserialization
DescripciónThe inference tool by xorbitsai is an LLM deployment tool. It's used to load, run, and manage LLMs for inference tasks. In the xinference/thirdparty/cosyvoice/cli/model.py file , there's a CWE - 502 vulnerability in the load method. This vulnerability exists in version v1.x. The torch.load function is used without the weights_only=True parameter, allowing arbitrary code execution if malicious files are loaded. This poses security risks like unauthorized access and data leakage. More details: https://github.com/xorbitsai/inference/issues/3190
Fuente⚠️ https://github.com/xorbitsai/inference/issues/3190
Usuario
 ybdesire (UID 83239)
Sumisión2025-04-06 16:22 (hace 1 Año)
Moderación2025-04-15 03:16 (8 days later)
EstadoAceptado
Entrada de VulDB304679 [Xorbits Inference hasta 1.4.1 model.py load escalada de privilegios]
Puntos20

AnteriorVisión De ConjuntoPróximo

Want to know what is going to be exploited?

We predict KEV entries!