### Key Information #### Vulnerability Overview - **CVE ID**: CVE-2025-50461 - **Vulnerability Type**: Remote Code Execution (RCE) via unsafe model deserialization in VeriL - **Status**: Reserved, not yet officially published #### Affected Repository - **Project**: volcengine/veril - **Affected Versions**: <= v0.4.0 - **File**: scripts/model_merger.py - **GitHub Permanent Link**: https://github.com/volcengine/veril/blob/v0.3.0.post1/scripts/model_merger.py#L87 - **Dependency**: PyTorch < 2.6.0 #### Vulnerability Description A deserialization vulnerability exists in VeriL version v0.3.0, particularly when the `model_merger.py` script uses the "fsdp" backend. The script calls `torch.load()` with `weights_only=False`, allowing attackers to execute arbitrary code by crafting malicious model files. #### Proof of Concept (PoC) 1. Create a malicious model file (`malicious.pt`) 2. Rename and place the file 3. Execute the vulnerable script #### Result The command `mkdir HACKED!` is executed on the victim's system. #### Mitigation Measures - Upgrade to PyTorch 2.6.0 or later, which defaults to `weights_only=True`. - Modify code to explicitly set `weights_only=True`. - Implement validation to ensure model file integrity. - Educate users not to load models from untrusted sources. #### CVE Status - **CVSS Score**: Pending - **Report Date**: 2025-04-30 - **Disclosure Date**: 2025-08-15 - **Affected Versions**: <= v0.4.0 - **Fixed Version**: Not specified #### Discoverers - Yu Rong and Hao Fan - Contact: anchoriongou2022@gmail.com