GHSA-r54c-2xmf-2cf3 — MEDIUM AI Security Vulnerability

Q: Is GHSA-r54c-2xmf-2cf3 actively exploited?

No confirmed active exploitation of GHSA-r54c-2xmf-2cf3 has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-r54c-2xmf-2cf3?

1. PATCH: Upgrade ms-swift to 3.7+ (torch.load disabled, replaced with safe loading). 2. MITIGATE: If immediate upgrade is not possible, upgrade torch to 2.6.0+ which defaults weights_only=True in torch.load(). 3. CONTROL: Restrict adapter model sources to internal, audited registries — block external ModelScope/HuggingFace pulls in training environments. 4. HARDEN: Run fine-tuning jobs in isolated containers or VMs with no lateral network access. 5. DETECT: Monitor for unexpected process spawning from Python training processes (e.g., os.system calls, shell spawns). 6. AUDIT: Review all adapter model references currently in use and verify their provenance. 7. POLICY: Establish ML supply chain policy requiring internal mirroring of all external model artifacts before use.

Q: What systems are affected by GHSA-r54c-2xmf-2cf3?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, fine-tuning infrastructure, model serving, ML development environments.

Q: What is the CVSS score for GHSA-r54c-2xmf-2cf3?

No CVSS score has been assigned yet.

CISO Take

Any team using ms-swift for LLM fine-tuning with externally-sourced adapter models (LoRA, etc.) is exposed to arbitrary code execution on training infrastructure. Upgrade to ms-swift 3.7+ immediately; if running torch < 2.6.0, treat this as critical since the unsafe torch.load path is fully exploitable. Audit all adapter model sources in your ML pipelines — this is a supply chain attack vector, not just a patch problem.

Risk Assessment

Risk is HIGH for organizations with active LLM fine-tuning workflows using ms-swift, particularly those pulling adapter models from public registries like ModelScope. The exploit chain is straightforward: publish malicious adapter, convince or wait for a user to reference it, achieve RCE on the training host. The prerequisite of torch < 2.6.0 is common in production ML environments where dependency pinning is standard practice. Training infrastructure typically has broad network access and privileged credentials, amplifying blast radius.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
ms-swift	pip	<= 3.6.3	No patch

Do you use ms-swift? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

Recommended Action

7 steps

PATCH

Upgrade ms-swift to 3.7+ (torch.load disabled, replaced with safe loading).
MITIGATE

If immediate upgrade is not possible, upgrade torch to 2.6.0+ which defaults weights_only=True in torch.load().
CONTROL

Restrict adapter model sources to internal, audited registries — block external ModelScope/HuggingFace pulls in training environments.
HARDEN

Run fine-tuning jobs in isolated containers or VMs with no lateral network access.
DETECT

Monitor for unexpected process spawning from Python training processes (e.g., os.system calls, shell spawns).
AUDIT

Review all adapter model references currently in use and verify their provenance.
POLICY

Establish ML supply chain policy requiring internal mirroring of all external model artifacts before use.

Classification

Supply Chain Code Execution Model Poisoning Framework Model Training Data AML.T0010.003 - Model AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0050 - Command and Scripting Interpreter AML.T0058 - Publish Poisoned Models AML.T0074 - Masquerading

Compliance Impact

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity

ISO 42001

A.8.4 - AI supply chain

NIST AI RMF

GOVERN 1.7 - Processes for AI supply chain trustworthiness

OWASP LLM Top 10

LLM03 - Supply Chain Vulnerabilities LLM04 - Data and Model Poisoning

Frequently Asked Questions

What is GHSA-r54c-2xmf-2cf3?

Any team using ms-swift for LLM fine-tuning with externally-sourced adapter models (LoRA, etc.) is exposed to arbitrary code execution on training infrastructure. Upgrade to ms-swift 3.7+ immediately; if running torch < 2.6.0, treat this as critical since the unsafe torch.load path is fully exploitable. Audit all adapter model sources in your ML pipelines — this is a supply chain attack vector, not just a patch problem.

Is GHSA-r54c-2xmf-2cf3 actively exploited?

No confirmed active exploitation of GHSA-r54c-2xmf-2cf3 has been reported, but organizations should still patch proactively.

How to fix GHSA-r54c-2xmf-2cf3?

1. PATCH: Upgrade ms-swift to 3.7+ (torch.load disabled, replaced with safe loading). 2. MITIGATE: If immediate upgrade is not possible, upgrade torch to 2.6.0+ which defaults weights_only=True in torch.load(). 3. CONTROL: Restrict adapter model sources to internal, audited registries — block external ModelScope/HuggingFace pulls in training environments. 4. HARDEN: Run fine-tuning jobs in isolated containers or VMs with no lateral network access. 5. DETECT: Monitor for unexpected process spawning from Python training processes (e.g., os.system calls, shell spawns). 6. AUDIT: Review all adapter model references currently in use and verify their provenance. 7. POLICY: Establish ML supply chain policy requiring internal mirroring of all external model artifacts before use.

What systems are affected by GHSA-r54c-2xmf-2cf3?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, fine-tuning infrastructure, model serving, ML development environments.

What is the CVSS score for GHSA-r54c-2xmf-2cf3?

No CVSS score has been assigned yet.

Technical Details

NVD Description

This appears to be a security vulnerability report describing a remote code execution (RCE) exploit in the ms-swift framework through malicious pickle deserialization in adapter model files. The vulnerability allows arbitrary command execution when loading specially crafted adapter models from ModelScope. This occurs when using machine torch version < 2.6.0, while ms-swift accepts torch version >= 2.0 **I. Detailed Description:** 1. Install ms-swift ``` pip install ms-swift -U ``` 2. Start web-ui ``` swift web-ui --lang en ``` 3. After startup, you can access [http://localhost:7860/](http://localhost:7860/) through your browser to see the launched fine-tuning framework program 4. Upload an adapter model repository (cyjhhh/lora_adapter_4_llama3) on ModelScope, where the lora/adapter_model.bin file is generated through the following code: ```python import torch, pickle, os class MaliciousPayload: def __reduce__(self): return (os.system, ("touch /tmp/malicious.txt",)) # Arbitrary command malicious_data = { "v_head.summary.weight": MaliciousPayload(), "v_head.summary.bias": torch.randn(10) } if __name__ == "__main__": with open("adapter_model.bin", "wb") as f: pickle.dump(malicious_data, f) ``` 5. First training submission: First, fill in the required parameters in the LLM Training interface, including Model id and Dataset Code, and configure the following in the Other params section of Advanced settings 6. Click Begin to submit. You can see the backend command running as follows 7. By reading the ms-swift source code, swift.llm.model.utils#safe_snapshot_download() and modelscope.hub.utils.utils#get_cache_dir(), we can see that adapters are downloaded locally to the path ~/.cache/modelscope. Therefore, the complete local path for the specified remote adapters after download is: ``` ~/.cache/modelscope/hub/models/cyjhhh/lora_adapter_4_llama3 ``` Wait for the first submission program until the adapters download is complete, then you can click "kill running task" on the page to terminate the first training 8. Second training submission, configure the page parameters as follows Click submit to see the backend command running as follows 9. After waiting for a while, you can see that torch.load() loaded the malicious adapter_model.bin file and successfully executed the command. Related execution information can also be seen in the log file corresponding to --logging_dir 10. Note (Prerequisites) Requires machine torch version < 2.6.0, while ms-swift accepts torch version >= 2.0 **II. Vulnerability Proof:** 1. Remote downloaded adapter malicious model: [[lora_adapter_4_llama3](https://www.modelscope.cn/models/cyjhhh/lora_adapter_4_llama3/files)](https://www.modelscope.cn/models/cyjhhh/lora_adapter_4_llama3/files) 2. For the second training submission, it's recommended to follow the parameters shown in the screenshots above for reproduction, as it will validate the target modules specified in the base model and adapter config. If they don't match, the program will terminate early. It's also recommended to select the same dataset content as shown in the screenshots 3. This report only reproduces RCE for one entry point (single path). In reality, there are more than one path in the code that can cause deserialization RCE **III. Fix Solution:** ``` SWIFT has disabled torch.load operations from 3.7 or later. ``` ## Author * Discovered by: [TencentAISec](https://github.com/TencentAISec) * Contact: *[security@tencent.com](mailto:security@tencent.com)*

Exploitation Scenario

An adversary targets an organization known to be fine-tuning LLMs with ms-swift. They publish a convincing LoRA adapter to ModelScope under a plausible name (e.g., mimicking a legitimate community adapter for Llama-3). A data scientist references this adapter ID in the ms-swift web UI for a training run. ms-swift downloads the adapter to ~/.cache/modelscope and subsequently calls torch.load() on adapter_model.bin during the next training submission — executing the embedded pickle payload. The payload establishes a reverse shell or drops a backdoor on the training host, giving the adversary access to GPU infrastructure, model weights, training data, and likely cloud credentials stored in environment variables.