CVE-2025-4701
📋 TL;DR
This vulnerability in VITA-MLLM Freeze-Omni allows arbitrary code execution through unsafe deserialization in the torch.load function. Attackers can exploit this by manipulating file paths to execute malicious code on the local system. Only users running affected versions of Freeze-Omni are impacted.
💻 Affected Systems
- VITA-MLLM Freeze-Omni
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control over the local machine, potentially leading to data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Local privilege escalation or arbitrary code execution within the context of the Freeze-Omni application, allowing attackers to access sensitive data or disrupt operations.
If Mitigated
Limited impact due to proper input validation and sandboxing, potentially resulting in application crash or denial of service only.
🎯 Exploit Status
Exploitation requires local access to the system and ability to manipulate file paths used by torch.load function.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 20250421
Vendor Advisory: https://github.com/VITA-MLLM/Freeze-Omni/issues/29
Restart Required: Yes
Instructions:
1. Update Freeze-Omni to latest version after 20250421. 2. Restart any running Freeze-Omni services. 3. Verify the fix by checking version and testing with safe inputs.
🔧 Temporary Workarounds
Input Validation for torch.load
allImplement strict input validation for all paths passed to torch.load function
# Add validation before torch.load calls
import os
from pathlib import Path
def safe_torch_load(path):
# Validate path is within expected directories
expected_dir = Path('/safe/directory')
resolved_path = Path(path).resolve()
if not resolved_path.is_relative_to(expected_dir):
raise ValueError('Invalid path')
return torch.load(str(resolved_path))
🧯 If You Can't Patch
- Restrict file system permissions to prevent unauthorized file creation/modification
- Implement network segmentation to isolate Freeze-Omni systems from critical assets
🔍 How to Verify
Check if Vulnerable:
Check if Freeze-Omni version is 20250421 or earlier by examining the package version or checking the models/utils.py file for unsafe torch.load usage.Check Version:
python -c "import freeze_omni; print(freeze_omni.__version__)" or check package metadataVerify Fix Applied:
Verify version is newer than 20250421 and test that torch.load rejects malicious file paths with proper error handling.📡 Detection & Monitoring
Log Indicators:
- Unusual file path patterns in torch.load calls
- Python tracebacks indicating deserialization errors
- Unexpected process spawns from Freeze-Omni
Network Indicators:
- Outbound connections from Freeze-Omni to unexpected destinations
SIEM Query:
process_name:"python" AND (process_command_line:"torch.load" OR process_command_line:"Freeze-Omni") AND event_type:"process_creation"