LightLLM Unauthenticated Remote Code Execution Vulnerability via Pickle Deserialization in WebSocket Endpoints

A remote code execution vulnerability has been identified in LightLLM versions through 1.1.0. This issue arises in the PD (prefill-decode) disaggregation mode, where the PD master node exposes WebSocket endpoints that accept binary frames. The vulnerability stems from the WebSocket server deserializing these frames with pickle.loads() without any authentication or validation. As a result, a remote attacker with access to the PD master can send a crafted payload to execute arbitrary code on the server.

Impact

Exploitation of this vulnerability allows for unauthenticated remote code execution on the server running LightLLM in PD disaggregation mode.

Reproduction

To reproduce this vulnerability, connect to the PD master WebSocket endpoint '/pd_register' or '/kv_move_status' using a WebSocket client. First, send a JSON registration frame to the '/pd_register' endpoint. After the registration is acknowledged, send a binary frame containing a malicious pickle payload that, when deserialized, executes a command on the server. The '/kv_move_status' endpoint can be exploited directly by sending a crafted pickle payload without the registration step.

Remediation

It is recommended to replace 'pickle.loads()' with a safer serialization method, such as JSON or MessagePack, for WebSocket communication. Additionally, implementing authentication for WebSocket endpoints would prevent unauthenticated access. If pickle must be used, consider employing a 'RestrictedUnpickler' to allow only safe classes.