Unsafe deserialization in model cache loading may lead to Remote Code Execution

[JIRUWOZHI]

Description

During the model cache initialization process in pycsghub, model metadata files stored in the local cache directory are automatically loaded and deserialized using pickle.load. If an attacker is able to upload or tamper with malicious model-related files on the hub, this behavior may result in an unsafe deserialization vulnerability, potentially leading to arbitrary code execution.

Affected Call Chain

pycsghub.cache.ModelFileSystemCache.__init__
  -> pycsghub.cache.FileSystemCache.__init__
    -> pycsghub.cache.FileSystemCache.load_cache
      -> pickle.load

Specifically, load_cache reads a fixed-name metadata file (e.g., .mdl) from the model cache directory and directly deserializes it via pickle.load without sufficient security checks.

Poc

Attackers only need to create a model repository on OpenCSG Hub and upload a file named .mdl, whose contents are a malicious pickle payload. When a user simply executes the download command, the malicious file will be automatically deserialized, leading to arbitrary code execution.

pycsghub download attacker/malicious-model

Suggested Mitigations

Introduce a trust_remote_code (or equivalent) parameter

• Disable deserialization of remote or untrusted pickle files by default;
• Require users to explicitly set trust_remote_code=True to allow such behavior.

[HaiHui886]

@JIRUWOZHI Thanks for raise the issue, We will handle it.