CVE-2025-50472

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

T

he modelscope/ms-swift library thru 2.6.1 is vulnerable to arbitrary code execution through deserialization of untrusted data within the `load_model_meta()` function of the `ModelFileSystemCache()` class. Attackers can execute arbitrary code and commands by crafting a malicious serialized `.mdl` payload, exploiting the use of `pickle.load()` on data from potentially untrusted sources. This vulnerability allows for remote code execution (RCE) by deceiving victims into loading a seemingly harmless checkpoint during a normal training process, thereby enabling attackers to execute arbitrary code on the targeted machine. Note that the payload file is a hidden file, making it difficult for the victim to detect tampering. More importantly, during the model training process, after the `.mdl` file is loaded and executes arbitrary code, the normal training process remains unaffected'meaning the user remains unaware of the arbitrary code execution.

References

Link	Resource
https://github.com/modelscope/ms-swift/blob/ab38bff0387a86fd9f068246c326ee7b0d5ed139/swift/hub/utils/caching.py#L141
https://github.com/xhjy2020/CVE-2025-50472

Configurations

No configuration.

History

04 Aug 2025, 15:06

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-01 16:15

Updated : 2025-08-04 15:06

NVD link : CVE-2025-50472

Mitre link : CVE-2025-50472

CVE.ORG link : CVE-2025-50472

JSON object : View

Products Affected

No product.

CWE

CWE-502

Deserialization of Untrusted Data

{"id": "CVE-2025-50472", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2025-08-01T16:15:41.750", "references": [{"url": "https://github.com/modelscope/ms-swift/blob/ab38bff0387a86fd9f068246c326ee7b0d5ed139/swift/hub/utils/caching.py#L141", "source": "[email protected]"}, {"url": "https://github.com/xhjy2020/CVE-2025-50472", "source": "[email protected]"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-502"}]}], "descriptions": [{"lang": "en", "value": "The modelscope/ms-swift library thru 2.6.1 is vulnerable to arbitrary code execution through deserialization of untrusted data within the `load_model_meta()` function of the `ModelFileSystemCache()` class. Attackers can execute arbitrary code and commands by crafting a malicious serialized `.mdl` payload, exploiting the use of `pickle.load()` on data from potentially untrusted sources. This vulnerability allows for remote code execution (RCE) by deceiving victims into loading a seemingly harmless checkpoint during a normal training process, thereby enabling attackers to execute arbitrary code on the targeted machine. Note that the payload file is a hidden file, making it difficult for the victim to detect tampering. More importantly, during the model training process, after the `.mdl` file is loaded and executes arbitrary code, the normal training process remains unaffected'meaning the user remains unaware of the arbitrary code execution."}, {"lang": "es", "value": "La librer\u00eda modelscope/ms-swift hasta la versi\u00f3n 2.6.1 es vulnerable a la ejecuci\u00f3n de c\u00f3digo arbitrario mediante la deserializaci\u00f3n de datos no confiables dentro de la funci\u00f3n `load_model_meta()` de la clase `ModelFileSystemCache()`. Los atacantes pueden ejecutar c\u00f3digo y comandos arbitrarios creando un payload `.mdl` serializado malicioso, aprovechando el uso de `pickle.load()` en datos de fuentes potencialmente no confiables. Esta vulnerabilidad permite la ejecuci\u00f3n remota de c\u00f3digo (RCE) al enga\u00f1ar a las v\u00edctimas para que carguen un punto de control aparentemente inofensivo durante un proceso de entrenamiento normal, lo que permite a los atacantes ejecutar c\u00f3digo arbitrario en el equipo objetivo. Tenga en cuenta que el archivo de payload es un archivo oculto, lo que dificulta que la v\u00edctima detecte la manipulaci\u00f3n. M\u00e1s importante a\u00fan, durante el proceso de entrenamiento del modelo, despu\u00e9s de que el archivo `.mdl` se carga y ejecuta c\u00f3digo arbitrario, el proceso de entrenamiento normal no se ve afectado, lo que significa que el usuario no es consciente de la ejecuci\u00f3n del c\u00f3digo arbitrario."}], "lastModified": "2025-08-04T15:06:15.833", "sourceIdentifier": "[email protected]"}