lm-sys FastChat Deserialization Vulnerability Leading to Arbitrary Code Execution

A critical deserialization vulnerability has been identified in lm-sys FastChat versions through 0.2.36. The issue arises in the file fastchat/model/apply_delta.py, specifically within the split_files and apply_delta_low_cpu_mem functions. The vulnerability is created by the torch.load function being used to load untrusted data without the necessary weights_only=True parameter, which is a security precaution. This flaw allows for the execution of arbitrary code during the deserialization process, potentially leading to unauthorized access, data leakage, or system compromise. The vulnerability requires local access to exploit.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the system where FastChat is running.

Reproduction

To reproduce this vulnerability, access a system with a vulnerable version of FastChat. Create a malicious pickle file that executes arbitrary code when deserialized. Replace a legitimate input file with this malicious pickle file, ensuring it will be loaded by the vulnerable torch.load calls in apply_delta.py. Once the malicious file is loaded without the weights_only=True parameter, the embedded code will execute, leading to exploitation.