ModelScope Remote Code Execution Vulnerability via Untrusted Module Loading

A remote code execution vulnerability has been identified in ModelScope version 1.25.0, and potentially earlier versions. The issue arises when models are loaded through the 'pipeline' interface for acoustic echo cancellation tasks. During the model initialization process, the framework dynamically imports Python modules based on configuration files from the model repository. This behavior can be exploited by modifying the 'dey_mini.yaml' file to include malicious code, which is then executed when the model is loaded.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the system running ModelScope, with potential consequences including system compromise and supply chain attacks via malicious model repositories.

Reproduction

To reproduce this vulnerability, upload a model to a repository that includes a 'dey_mini.yaml' file with a crafted 'nnet.module' entry pointing to malicious Python code. After uploading the model, download it using the 'snapshot_download' function from the 'modelscope' library. Then, load the model using the 'pipeline' function with the 'acoustic-echo-cancellation' task. The specified malicious code will be executed during the model initialization process.

Remediation

Users can update to ModelScope version 1.27.0, which includes a patch for this vulnerability.