| Title | XU-YIJIE grpo-flat 0.0 Deserialization |
|---|
| Description | A high - risk vulnerability exists in the `grpo-flat` project when using `torch.load` for training state restoration. In the `grpo_vanilla.py` file (lines L212C1 - L222C1), the code attempts to resume training from a "training_state.pt" file in the `model_name_or_path` directory using `torch.load` without setting `weights_only=True`. When loading untrusted data (e.g., from an external source or an untrusted location), if the file contains malicious pickle data, it can trigger the deserialization of untrusted data. As Python's pickle format can embed arbitrary code execution during deserialization, an attacker can create a malicious "training_state.pt" file. Once the `torch.load` function is called, the attacker's code will execute, potentially leading to unauthorized access to system resources, data theft, or system compromise. All versions of the affected code are impacted.
More details: https://github.com/XU-YIJIE/grpo-flat/issues/3 |
|---|
| Source | ⚠️ https://github.com/XU-YIJIE/grpo-flat/issues/3 |
|---|
| User | ybdesire (UID 83239) |
|---|
| Submission | 05/04/2025 13:51 (12 months ago) |
|---|
| Moderation | 05/15/2025 10:02 (11 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 309042 [XU-YIJIE grpo-flat up to 9024b43f091e2eb9bac65802b120c0b35f9ba856 grpo_vanilla.py main deserialization] |
|---|
| Points | 20 |
|---|