CVE-2025-50472

EIP tracks 2 public exploits for CVE-2025-50472. PoCs published by Before-Rain, xhjy2020.

AI-analyzed exploit summary This repository provides a functional exploit for CVE-2025-50472, demonstrating RCE via unsafe deserialization in ModelScope's ms-swift library. The PoC includes a malicious `.mdl` file and exploit code that leverages `pickle.load` to execute arbitrary commands during model loading.

The modelscope/ms-swift library thru 2.6.1 is vulnerable to arbitrary code execution through deserialization of untrusted data within the `load_model_meta()` function of the `ModelFileSystemCache()` class. Attackers can execute arbitrary code and commands by crafting a malicious serialized `.mdl` payload, exploiting the use of `pickle.load()` on data from potentially untrusted sources. This vulnerability allows for remote code execution (RCE) by deceiving victims into loading a seemingly harmless checkpoint during a normal training process, thereby enabling attackers to execute arbitrary code on the targeted machine. Note that the payload file is a hidden file, making it difficult for the victim to detect tampering. More importantly, during the model training process, after the `.mdl` file is loaded and executes arbitrary code, the normal training process remains unaffected'meaning the user remains unaware of the arbitrary code execution.