OpenMed Remote Code Execution Vulnerability in Privacy-Filter Model Loading

A remote code execution vulnerability has been identified in OpenMed versions prior to 1.5.2. The issue arises in the PII privacy-filter model loading process, where the dispatcher improperly matches user-supplied model names. This flaw allows an unauthenticated attacker to route malicious model repositories through a path that loads Hugging Face models with remote code execution enabled. The attacker's code is executed with the privileges of the OpenMed service process.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where OpenMed is running.

Reproduction

To reproduce this vulnerability, send a request to the '/pii/extract' or '/pii/deidentify' endpoint with a 'model_name' parameter that includes a repository name containing 'privacy-filter'. The request will be processed by the privacy-filter dispatcher, which will load the specified model with 'trust_remote_code' set to true, executing any embedded custom code.

Remediation

Users can update to OpenMed version 1.5.2 or later, where this vulnerability has been addressed. Instructions for updating are available in the OpenMed GitHub repository.