VITA-MLLM Freeze-Omni Deserialization Vulnerability in torch.load Function Allowing Arbitrary Code Execution

A deserialization vulnerability has been identified in VITA-MLLM Freeze-Omni versions up to 20250421. The issue arises in the models/utils.py file, specifically within the torch.load function. The vulnerability allows for arbitrary code execution by manipulating the path argument to load malicious pickle data, which is executed during the deserialization process. This exploitation can be carried out on the local host.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the system where the vulnerable version of Freeze-Omni is running.

Reproduction

To reproduce this vulnerability, create a malicious file containing crafted pickle data designed to execute arbitrary code when deserialized. Then, use the load_checkpoint function, providing the path to the malicious file as the path parameter. The torch.load function will deserialize the data, executing the malicious code because the weights_only parameter is not set to true.

Remediation

To address this vulnerability, the weights_only parameter should be set to true when calling the torch.load function. This ensures that only model weights are loaded, preventing the execution of arbitrary code. If the map_location parameter is used, it should be set to 'cpu'.