CVE-2025-50472

CRITICAL

modelscope/ms-swift <2.6.1 - RCE

Title source: llm
STIX 2.1

Description

The modelscope/ms-swift library thru 2.6.1 is vulnerable to arbitrary code execution through deserialization of untrusted data within the `load_model_meta()` function of the `ModelFileSystemCache()` class. Attackers can execute arbitrary code and commands by crafting a malicious serialized `.mdl` payload, exploiting the use of `pickle.load()` on data from potentially untrusted sources. This vulnerability allows for remote code execution (RCE) by deceiving victims into loading a seemingly harmless checkpoint during a normal training process, thereby enabling attackers to execute arbitrary code on the targeted machine. Note that the payload file is a hidden file, making it difficult for the victim to detect tampering. More importantly, during the model training process, after the `.mdl` file is loaded and executes arbitrary code, the normal training process remains unaffected'meaning the user remains unaware of the arbitrary code execution.

Exploits (2)

nomisec WORKING POC 1 stars
by Before-Rain · poc
https://github.com/Before-Rain/CVE-2025-50472
nomisec WORKING POC 1 stars
by xhjy2020 · poc
https://github.com/xhjy2020/CVE-2025-50472

References (2)

Core 2

Scores

CVSS v3 9.8
EPSS 0.0105
EPSS Percentile 77.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-502
Status published
Published Aug 01, 2025
Tracked Since Feb 18, 2026