| 제목 | thu-pacman chitu <0.1.0 Deserialization |
|---|
| 설명 | chitu is a high-performance inference framework for large language models (LLM). A vulnerability has been identified within its codebase regarding the use of the torch.load function. In the model loading process of Chitu, the torch.load function is repeatedly utilized to load checkpoint files without specifying the weights_only=True parameter. This oversight allows the function to deserialize the entire content of the checkpoint file, including any malicious Python objects and code that might be embedded.
More details: https://github.com/thu-pacman/chitu/issues/32 |
|---|
| 원천 | ⚠️ https://github.com/thu-pacman/chitu/issues/32 |
|---|
| 사용자 | ybdesire (UID 83239) |
|---|
| 제출 | 2025. 03. 25. AM 10:47 (1 년도 ago) |
|---|
| 모더레이션 | 2025. 04. 03. AM 09:17 (9 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 303111 [thu-pacman chitu 0.1.0 chitu/chitu/backend.py torch.load ckpt_path/quant_ckpt_dir 권한 상승] |
|---|
| 포인트들 | 20 |
|---|