LMDeploy Insecure Deserialization Vulnerability Leading to Arbitrary Code Execution

A vulnerability allowing arbitrary code execution through insecure deserialization has been identified in LMDeploy versions prior to 0.11.1. The issue arises because the 'torch.load()' function is used without the 'weights_only=True' parameter when loading model checkpoint files. This oversight allows attackers to execute malicious code on the user's machine by crafting harmful '.bin' or '.pt' model files. The vulnerability has been patched in version 0.11.1.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the victim's machine, with the executed code running under the user's privileges. This could lead to a full system compromise, unauthorized access to sensitive data such as files, credentials, and API keys, and potential deployment of malware like cryptominers or ransomware.

Reproduction

The vulnerability can be reproduced by loading a malicious PyTorch model file into LMDeploy. The malicious file should be crafted to include a payload that executes arbitrary code when the file is loaded. This can be done using a Python script that creates a PyTorch checkpoint file containing the malicious payload, which is then loaded in a way that simulates the vulnerable 'torch.load()' usage in LMDeploy.

Remediation

Users can update to LMDeploy version 0.11.1 or later, where this vulnerability has been patched. For those unable to update, an alternative is to manually add the 'weights_only=True' parameter to 'torch.load()' calls, ensuring that only the model weights are loaded and not any potentially harmful code.