CVE-2025-50461
📋 TL;DR
This CVE describes a deserialization vulnerability in Volcengine's verl 3.0.0 that allows arbitrary code execution when loading malicious model files. Attackers can exploit this by tricking users into placing specially crafted .pt files in specific directories. Users running the model_merger.py script with the 'fsdp' backend are affected.
💻 Affected Systems
- Volcengine verl
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with the privileges of the user running the script, potentially leading to data theft, lateral movement, or complete system takeover.
Likely Case
Local privilege escalation or execution of malicious payloads on systems where users load untrusted model files.
If Mitigated
No impact if only trusted model files are loaded or if the vulnerability is patched.
🎯 Exploit Status
Requires social engineering to place malicious file, knowledge of specific filename patterns, and user to run the vulnerable script.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified in references, but fix involves modifying the script
Vendor Advisory: https://github.com/volcengine/verl
Restart Required: No
Instructions:
1. Update verl to a patched version if available. 2. Modify scripts/model_merger.py line 152 to use weights_only=True in torch.load(). 3. Test the modified script functionality.
🔧 Temporary Workarounds
Use weights_only parameter
allModify the torch.load() call to use weights_only=True to prevent deserialization of arbitrary objects
sed -i "s/torch.load(weights_only=False)/torch.load(weights_only=True)/g" scripts/model_merger.py
Restrict file sources
allOnly load model files from trusted, verified sources and implement file integrity checks
🧯 If You Can't Patch
- Implement strict access controls on directories where model files are stored
- Use application allowlisting to prevent execution of unauthorized code
🔍 How to Verify
Check if Vulnerable:
Check if scripts/model_merger.py contains 'torch.load(weights_only=False)' on line 152 or similarCheck Version:
Check verl version in package metadata or repository tagsVerify Fix Applied:
Verify that torch.load() calls in model_merger.py use weights_only=True parameter📡 Detection & Monitoring
Log Indicators:
- Unusual process execution following model loading
- Errors from torch.load() with untrusted data
Network Indicators:
- Unexpected outbound connections after model file processing
SIEM Query:
Process execution where command contains 'python' and 'model_merger.py' followed by network connections