diff --git a/advisories/github-reviewed/2026/05/GHSA-7g5w-pq96-8c5w/GHSA-7g5w-pq96-8c5w.json b/advisories/github-reviewed/2026/05/GHSA-7g5w-pq96-8c5w/GHSA-7g5w-pq96-8c5w.json index 97df087d81258..ff8c98e6b647a 100644 --- a/advisories/github-reviewed/2026/05/GHSA-7g5w-pq96-8c5w/GHSA-7g5w-pq96-8c5w.json +++ b/advisories/github-reviewed/2026/05/GHSA-7g5w-pq96-8c5w/GHSA-7g5w-pq96-8c5w.json @@ -1,17 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-7g5w-pq96-8c5w", - "modified": "2026-05-18T15:22:20Z", + "modified": "2026-05-18T15:22:22Z", "published": "2026-05-11T18:31:44Z", "aliases": [ "CVE-2026-31253" ], "summary": "flash-attention contains an insecure deserialization vulnerability in its checkpoint loading mechanism", - "details": "The flash-attention training framework thru commit e724e2588cbe754beb97cf7c011b5e7e34119e62 (2025-13-04) contains an insecure deserialization vulnerability (CWE-502) in its checkpoint loading mechanism. The load_checkpoint() function in checkpoint.py and the checkpoint loading code in eval.py use torch.load() without enabling the security-restrictive weights_only=True parameter. This allows the deserialization of arbitrary Python objects via the pickle module. An attacker can exploit this by providing a maliciously crafted checkpoint file. When a victim loads this checkpoint during model warmstarting or evaluation, arbitrary code is executed on the victim's system.", + "details": "The flash-attention package contains multiple insecure deserialization sites (CWE-502) that allow arbitrary code execution when an attacker-controlled file is loaded. As originally reported, training/src/utils/checkpoint.py (load_checkpoint()) and training/src/eval.py use torch.load() without weights_only=True, permitting deserialization of arbitrary Python objects via pickle. The same bug class is present in at least three additional locations through commit e724e2588cbe754beb97cf7c011b5e7e34119e62, two of which ship inside the installed flash_attn wheel and are therefore reachable by downstream consumers of the package — not only users who clone the source repository to run the training scripts.\n\nAdditional affected sites:\n\nflash_attn/utils/pretrained.py — state_dict_from_pretrained() calls torch.load() without weights_only=True when loading Hugging Face checkpoints whose hub artifact is a pytorch_model.bin rather than a .safetensors file. This is the default path for any HF repository that has not migrated to safetensors and is triggered automatically by pipelines that resolve such a model.\nflash_attn/models/llama.py — state_dicts_from_checkpoint() loads Meta-format LLaMA consolidated.*.pth shards via torch.load() without weights_only=True. A malicious shard placed in the checkpoint directory executes during loading.\ntraining/src/datamodules/language_modeling_hf.py — uses raw pickle.load() on a cached tokenizer.pkl. Not shipped in the wheel, but reachable by anyone running the dataset preparation scripts against a poisoned or shared cache.\n\nIn all cases, loading an attacker-influenced file yields arbitrary Python code execution in the loading process. Realistic exploitation paths include pulling a poisoned pytorch_model.bin from a third-party Hugging Face repository, loading LLaMA-format shards from an untrusted source, or reusing a tokenizer.pkl cache produced on another machine.\n\nSuggested fix: pass weights_only=True at each torch.load() site; for the pickle.load() site, switch the cache to a non-pickle representation or use a restricted unpickler that allow-lists only the tokenizer classes actually in use.", "severity": [ { "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "affected": [ @@ -51,9 +51,10 @@ ], "database_specific": { "cwe_ids": [ + "CWE-502", "CWE-94" ], - "severity": "HIGH", + "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2026-05-18T15:22:20Z", "nvd_published_at": "2026-05-11T17:16:20Z"