Vulnerability: CWE-502 - Untrusted Data Deserialization via torch.load Without weights_only=True

### Description
The code snippet uses the `torch.load` function to load data without specifying the `weights_only=True` parameter. This function is used to deserialize data, and when it loads untrusted data, it may lead to the execution of arbitrary code during the deserialization process. Since the source of the data loaded by `torch.load` is not verified, there is a risk that malicious pickle data can be used to exploit this vulnerability.

https://github.com/FunAudioLLM/InspireMusic/blob/455f99a0ba6fdfe2e4d00249c095fc76ecbbd42d/inspiremusic/cli/model.py#L84

https://github.com/FunAudioLLM/InspireMusic/blob/455f99a0ba6fdfe2e4d00249c095fc76ecbbd42d/inspiremusic/cli/model.py#L89


### Exploit
An attacker can create a malicious file containing crafted pickle data. When the `torch.load` function in the given code loads this malicious file, the deserialization process will execute the arbitrary code embedded in the pickle data. This can lead to various security issues, such as unauthorized access to the system, data leakage, or modification of system settings.

### Impacted
All versions of the code that use the `torch.load` function without the `weights_only=True` parameter to load untrusted data are affected.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Vulnerability: CWE-502 - Untrusted Data Deserialization via torch.load Without weights_only=True #53

Description

Exploit

Impacted

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Vulnerability: CWE-502 - Untrusted Data Deserialization via torch.load Without weights_only=True #53

Description

Description

Exploit

Impacted

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions