| tiêu đề | FedML-AI FedML <= 0.8.9 Remote Code Execution |
|---|
| Mô tả | Fedml is vulnerable to Remote Code Execution (RCE) due to unsafe deserialization in its gRPC communication manager. The application's gRPC server is exposed to all network interfaces (x.x.x.x) via an insecure port without requiring authentication. Network messages received through the sendMessage() RPC are passed directly to pickle.loads(). This allows an unauthenticated remote attacker to send a maliciously crafted Python pickle payload, which upon deserialization executes arbitrary code on the affected federated learning node.
|
|---|
| Nguồn | ⚠️ https://github.com/AnalogyC0de/public_exp/issues/26 |
|---|
| Người dùng | Ana10gy (UID 93358) |
|---|
| Đệ trình | 18/03/2026 09:44 (cách đây 1 tháng) |
|---|
| Kiểm duyệt | 04/04/2026 08:41 (17 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 355289 [FedML-AI FedML đến 0.8.9 gRPC server grpc_server.py sendMessage nâng cao đặc quyền] |
|---|
| điểm | 20 |
|---|