Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
🐍 PyPI

GHSA-r54c-2xmf-2cf3

MS SWIFT Deserialization RCE Vulnerability

Published
Jul 31, 2025
Updated
Aug 12, 2025
Affected
1 pkg
Patched
None yet
Exploits
None indexed

Blast Radius

1 pkg affected
🐍ms-swift

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects PyPI packages — download data is not available via public APIs for these ecosystems.

Description

This appears to be a security vulnerability report describing a remote code execution (RCE) exploit in the ms-swift framework through malicious pickle deserialization in adapter model files. The vulnerability allows arbitrary command execution when loading specially crafted adapter models from ModelScope.

This occurs when using machine torch version < 2.6.0, while ms-swift accepts torch version >= 2.0

I. Detailed Description:

  1. Install ms-swift
pip install ms-swift -U
  1. Start web-ui
swift web-ui --lang en

  1. After startup, you can access http://localhost:7860/ through your browser to see the launched fine-tuning framework program

  2. Upload an adapter model repository (cyjhhh/lora_adapter_4_llama3) on ModelScope, where the lora/adapter_model.bin file is generated through the following code:

import torch, pickle, os

class MaliciousPayload:
   def __reduce__(self):
       return (os.system, ("touch /tmp/malicious.txt",))  # Arbitrary command

malicious_data = {
   "v_head.summary.weight": MaliciousPayload(),
   "v_head.summary.bias": torch.randn(10)
}

if __name__ == "__main__":
   with open("adapter_model.bin", "wb") as f:
       pickle.dump(malicious_data, f)

  1. First training submission: First, fill in the required parameters in the LLM Training interface, including Model id and Dataset Code, and configure the following in the Other params section of Advanced settings

  2. Click Begin to submit. You can see the backend command running as follows

  3. By reading the ms-swift source code, swift.llm.model.utils#safe_snapshot_download() and modelscope.hub.utils.utils#get_cache_dir(), we can see that adapters are downloaded locally to the path ~/.cache/modelscope. Therefore, the complete local path for the specified remote adapters after download is:

~/.cache/modelscope/hub/models/cyjhhh/lora_adapter_4_llama3

Wait for the first submission program until the adapters download is complete, then you can click "kill running task" on the page to terminate the first training

  1. Second training submission, configure the page parameters as follows

Click submit to see the backend command running as follows

  1. After waiting for a while, you can see that torch.load() loaded the malicious adapter_model.bin file and successfully executed the command. Related execution information can also be seen in the log file corresponding to --logging_dir

  2. Note (Prerequisites) Requires machine torch version < 2.6.0, while ms-swift accepts torch version >= 2.0

II. Vulnerability Proof:

  1. Remote downloaded adapter malicious model: [lora_adapter_4_llama3](https://www.modelscope.cn/models/cyjhhh/lora_adapter_4_llama3/files)
  2. For the second training submission, it's recommended to follow the parameters shown in the screenshots above for reproduction, as it will validate the target modules specified in the base model and adapter config. If they don't match, the program will terminate early. It's also recommended to select the same dataset content as shown in the screenshots
  3. This report only reproduces RCE for one entry point (single path). In reality, there are more than one path in the code that can cause deserialization RCE

III. Fix Solution:

SWIFT has disabled torch.load operations from 3.7 or later.

Author

Affected Packages

1 total
EcosystemPackageVulnerable rangeFix
🐍PyPIms-swiftall versionsNo fix

Detection & mitigation playbook

Open-source dependency

  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for ms-swift. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Remediation status

    No patched version of ms-swift has shipped for GHSA-r54c-2xmf-2cf3 yet. Where your build allows, override or pin the dependency away from the vulnerable range, and apply any maintainer-recommended mitigation.

  3. Mitigate without a patch

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether GHSA-r54c-2xmf-2cf3 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-r54c-2xmf-2cf3. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

This appears to be a security vulnerability report describing a remote code execution (RCE) exploit in the ms-swift framework through malicious pickle deserialization in adapter model files. The vulnerability allows arbitrary command execution when loading specially crafted adapter models from ModelScope. This occurs when using machine torch version < 2.6.0, while ms-swift accepts torch version >= 2.0 **I. Detailed Description:** 1. Install ms-swift ``` pip install ms-swift -U ``` 2. Start web-ui ``` swift web-ui --lang en ``` 3. After startup, you can access [http://localhost:7860/](http:
O3 Security · Impact-Aware SCA

Is GHSA-r54c-2xmf-2cf3 in your dependencies?

O3 detects GHSA-r54c-2xmf-2cf3 across PyPI dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works