Submeter #552245: xorbitsai inference 0.15.0 to 1.4.1 Deserializationinformação

Títuloxorbitsai inference 0.15.0 to 1.4.1 Deserialization
DescriçãoThe inference tool by xorbitsai is an LLM deployment tool. It's used to load, run, and manage LLMs for inference tasks. In the xinference/thirdparty/cosyvoice/cli/model.py file , there's a CWE - 502 vulnerability in the load method. This vulnerability exists in version v1.x. The torch.load function is used without the weights_only=True parameter, allowing arbitrary code execution if malicious files are loaded. This poses security risks like unauthorized access and data leakage. More details: https://github.com/xorbitsai/inference/issues/3190
Fonte⚠️ https://github.com/xorbitsai/inference/issues/3190
Utilizador
 ybdesire (UID 83239)
Submissão06/04/2025 16h22 (há 1 Ano)
Moderação15/04/2025 03h16 (8 days later)
EstadoAceite
Entrada VulDB304679 [Xorbits Inference até 1.4.1 model.py load Elevação de Privilégios]
Pontos20

VoltarVisão GeralPróximo

Do you want to use VulDB in your project?

Use the official API to access entries easily!