CVE-2025-45146 Overview
CVE-2025-45146 is a critical insecure deserialization vulnerability affecting ModelCache for LLM through version v0.2.0. The vulnerability exists in the /manager/data_manager.py component and allows remote attackers to execute arbitrary code by supplying specially crafted serialized data. This flaw poses a severe risk to organizations using ModelCache for caching Large Language Model (LLM) inference results, as it can lead to complete system compromise without requiring any authentication or user interaction.
Critical Impact
Remote attackers can achieve arbitrary code execution by exploiting insecure deserialization in the data manager component, potentially leading to full system compromise of LLM infrastructure.
Affected Products
- Codefuse ModelCache versions through v0.2.0
- All deployments utilizing the vulnerable data_manager.py component
- LLM caching infrastructure leveraging ModelCache
Discovery Timeline
- 2025-08-11 - CVE-2025-45146 published to NVD
- 2025-10-17 - Last updated in NVD database
Technical Details for CVE-2025-45146
Vulnerability Analysis
This vulnerability is classified as CWE-502 (Deserialization of Untrusted Data). The flaw exists in how ModelCache handles serialized data through PyTorch's torch.load() function. When processing cached model data, the application deserializes input without proper validation, allowing attackers to inject malicious serialized objects that execute arbitrary code upon deserialization.
The vulnerability is particularly dangerous in LLM infrastructure contexts, where ModelCache serves as a caching layer between applications and language models. An attacker who can supply crafted data to the cache can achieve remote code execution on the server processing the deserialization operation.
Root Cause
The root cause lies in the unsafe use of Python's pickle-based deserialization through PyTorch's torch.load() function. The vulnerable code in data_manager.py processes serialized data without implementing the recommended weights_only=True parameter or other safeguards against arbitrary object instantiation. When torch.load() deserializes data, it can instantiate arbitrary Python objects specified in the serialized payload, including objects with __reduce__ methods that execute malicious commands.
Attack Vector
The attack is network-based with low complexity requirements. An attacker can exploit this vulnerability by:
- Crafting a malicious serialized payload containing a Python object with a __reduce__ method that executes arbitrary commands
- Submitting this crafted payload to the ModelCache service through the data manager interface
- The torch.load() function deserializes the payload, triggering code execution during object instantiation
No privileges or user interaction are required for exploitation. The attacker can gain the same privileges as the service running ModelCache, potentially leading to data exfiltration, lateral movement, or complete infrastructure compromise.
The vulnerability is particularly concerning because PyTorch's documentation explicitly warns that torch.load() uses pickle under the hood and should not be used with untrusted data. For detailed technical analysis of the vulnerable code paths, refer to the vulnerability research documentation and the vulnerable data_manager.py code.
Detection Methods for CVE-2025-45146
Indicators of Compromise
- Unexpected process spawning from Python processes running ModelCache services
- Suspicious outbound network connections from ModelCache server infrastructure
- Anomalous file system modifications or creation of new files in ModelCache directories
- Unusual CPU or memory consumption patterns during cache operations
Detection Strategies
- Monitor for use of torch.load() with untrusted or external data sources in application logs
- Implement network-level monitoring for suspicious payloads containing pickle magic bytes (\\x80\\x04\\x95 for protocol 4)
- Deploy endpoint detection to identify reverse shell or command execution attempts originating from Python processes
- Review cache storage for serialized objects with suspicious __reduce__ method implementations
Monitoring Recommendations
- Enable verbose logging for ModelCache data manager operations
- Implement file integrity monitoring on ModelCache installation directories
- Configure alerting for any child process creation from the ModelCache service
- Monitor network traffic from LLM infrastructure for unexpected egress connections
How to Mitigate CVE-2025-45146
Immediate Actions Required
- Upgrade ModelCache to a patched version when available from Codefuse
- Restrict network access to ModelCache services using firewall rules and network segmentation
- Implement input validation to reject serialized data from untrusted sources
- Consider disabling external cache data ingestion until a patch is applied
Patch Information
Organizations should monitor the Codefuse ModelCache repository for security updates addressing this vulnerability. The fix is expected to implement safe deserialization practices, potentially using torch.load() with weights_only=True as recommended in the PyTorch documentation.
Workarounds
- Modify data_manager.py to use torch.load(file, weights_only=True) to prevent arbitrary code execution during deserialization
- Implement allowlist-based validation of serialized object types before deserialization
- Run ModelCache in an isolated container or sandbox environment to limit the impact of potential exploitation
- Apply strict network access controls to limit exposure of ModelCache services
# Network isolation example - restrict ModelCache access
# Configure firewall to allow only trusted internal hosts
iptables -A INPUT -p tcp --dport 8080 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP
# Run ModelCache in isolated container with limited capabilities
docker run --cap-drop=ALL --cap-add=NET_BIND_SERVICE \
--read-only --tmpfs /tmp \
--network=internal-only \
modelcache:latest
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
