Mamba Language Model Framework Insecure Deserialization Vulnerability Allowing Arbitrary Code Execution

A vulnerability allowing insecure deserialization has been identified in the Mamba language model framework, versions through 2.2.6. This issue arises when the framework loads pre-trained models from Hugging Face Hub. The vulnerability is rooted in the MambaLMHeadModel.from_pretrained() method, which utilizes torch.load() to import the pytorch_model.bin weight file without activating the security-focused weights_only=True parameter. As a result, arbitrary Python objects can be deserialized using the pickle module. An attacker could exploit this vulnerability by uploading a malicious model repository to Hugging Face Hub. When a user loads a model from this repository, it triggers the execution of arbitrary code on the user's system within the Mamba process.

Impact

Exploitation of this vulnerability leads to arbitrary code execution on the victim's system, executed in the context of the Mamba process.

Reproduction

To reproduce this vulnerability, load a model from a malicious repository on Hugging Face Hub into the Mamba language model framework, versions through 2.2.6. The MambaLMHeadModel.from_pretrained() method will deserialize the model weights without the necessary security precautions, allowing any embedded code to execute on the system.

Remediation

Users can avoid this vulnerability by not loading models from untrusted repositories on Hugging Face Hub. If using Mamba version 2.2.6 or earlier, consider updating to a version where this vulnerability is addressed.