Enviar #782201: FedML-AI FedML <= 0.8.9 Remote Code Executioninformación

TítuloFedML-AI FedML <= 0.8.9 Remote Code Execution
DescripciónFedml is vulnerable to Remote Code Execution (RCE) due to unsafe deserialization in its gRPC communication manager. The application's gRPC server is exposed to all network interfaces (x.x.x.x) via an insecure port without requiring authentication. Network messages received through the sendMessage() RPC are passed directly to pickle.loads(). This allows an unauthenticated remote attacker to send a maliciously crafted Python pickle payload, which upon deserialization executes arbitrary code on the affected federated learning node.
Fuente⚠️ https://github.com/AnalogyC0de/public_exp/issues/26
Usuario
 Ana10gy (UID 93358)
Sumisión2026-03-18 09:44 (hace 30 días)
Moderación2026-04-04 08:41 (17 days later)
EstadoAceptado
Entrada de VulDB355289 [FedML-AI FedML hasta 0.8.9 gRPC server grpc_server.py sendMessage escalada de privilegios]
Puntos20

AnteriorVisión De ConjuntoPróximo

Do you want to use VulDB in your project?

Use the official API to access entries easily!