Flair Language Model Deserialization Vulnerability Leading to Arbitrary Code Execution

A vulnerability allowing arbitrary code execution has been identified in the Flair library's LanguageModel class, present in versions 0.4.1 through the latest release. This issue arises from the deserialization of untrusted data in the load_language_model method, where torch.load() is called with the weights_only parameter set to False. This configuration is unsafe because it allows PyTorch to execute arbitrary code by relying on Python's pickle module for object deserialization. The vulnerability can be exploited if an attacker controls the model file path.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the system where Flair is running.

Reproduction

The vulnerability can be reproduced by creating a malicious pickle file that, when loaded, executes arbitrary commands. This file can be generated using a Python script that defines an exploit class, serializes it with pickle, and saves it as a .pkl file. Once the malicious file is created, it can be loaded into the Flair model using the FlairEmbeddings class, which will execute the embedded command.