Xorbits Inference Deserialization Vulnerability in Model Loading Function

A critical deserialization vulnerability has been identified in Xorbits Inference versions through 1.4.1. The issue arises in the model.py file, specifically within the load function, where the torch.load method is used to deserialize data from untrusted sources without proper validation. This oversight can lead to arbitrary code execution if maliciously crafted files are loaded, posing significant security risks such as unauthorized access and data leakage.

Impact

Exploitation of this vulnerability allows for arbitrary code execution during the deserialization process, potentially leading to unauthorized access, data leakage, or system compromise.

Reproduction

To reproduce this vulnerability, prepare malicious pickle files containing arbitrary code and replace the model file arguments in the load method with paths to these files. When the modified script is executed, the malicious code will be executed during the deserialization process, demonstrating the vulnerability.

Remediation

The vulnerability can be mitigated by adding the weights_only=True parameter to all torch.load calls in the load method. This adjustment ensures that only model weights are loaded, without executing any embedded code.