FunAudioLLM InspireMusic Pickle Data Deserialization Vulnerability in Load State Dict Function

A critical vulnerability exists in FunAudioLLM InspireMusic versions prior to the commit 784cbf8dde2cf1456ff808aeba23177e1810e7a9. The issue arises in the Pickle Data Handler component, specifically within the load_state_dict function of inspiremusic/cli/model.py. This vulnerability allows for untrusted data deserialization, as the torch.load function is used to load data without the necessary weights_only=True parameter. The flaw requires local exploitation, where an attacker can craft a malicious file containing pickle data that, when loaded, executes arbitrary code. Such exploitation could lead to unauthorized system access, data leakage, or unapproved modifications to system settings.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the system where the application is running.

Reproduction

To reproduce this vulnerability, load a malicious file containing crafted pickle data into the application using the torch.load function without the weights_only=True parameter. This can be done by passing the file path of the malicious pickle file to the llm_model or flow_model parameters of the load_state_dict function.

Remediation

Users are advised to update to the latest version of FunAudioLLM InspireMusic, where this vulnerability has been patched.