### Key Information Summary #### Vulnerability Description This commit `ee9c4ab` primarily addresses serialization issues in Zmq Sockets, covering the following aspects: 1. **Removal of Default Pickle Serialization:** - **Context:** - Previously, the code used Python's `pickle` library for default serialization and deserialization in Zmq Sockets. - `pickle` is known to be vulnerable to deserialization attacks, posing a potential security risk. - **Remediation:** - The default use of `pickle` has been removed and replaced with more secure serialization/deserialization methods. 2. **Message Passing Code Adjustments:** - **Modules Affected:** - `kv_cache_agent/dispatcher_client.py` and `dispatcher_service.py` - `max/serve/queue/zmq_queue.py` sm - `max/serve/scheduler/queues.py` - `audio_generation_scheduler.py` and other files involving message passing and serialization had their `pickle` calls replaced. - **Specific Changes:** - Deserialization functions replaced `pickle.loads` with agreed-upon secure methods. - Serialization functions replaced `pickle.dumps` with specified encoding tools. 3. **Standardization of Serialization Mechanism:** - Serialization and deserialization methods have been unified across multiple code sections to ensure secure data transmission. - For example, `msgpack` is now used for encoding and decoding, eliminating risks associated with unsafe code. #### Security Impact This fix significantly reduces the risk of deserialization attacks, enhances the security of message passing, and positively impacts the overall security of the `modular` project. ---