fix: use safe deserialization and tarfile extraction#70
Open
gn00295120 wants to merge 2 commits intoNVIDIA:mainfrom
Open
fix: use safe deserialization and tarfile extraction#70gn00295120 wants to merge 2 commits intoNVIDIA:mainfrom
gn00295120 wants to merge 2 commits intoNVIDIA:mainfrom
Conversation
Loading
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
weights_only=Trueto alltorch.load()calls to prevent arbitrary code execution via pickle deserialization (CVE-2025-32434, CWE-502)filter='data'to alltarfile.extractall()calls to prevent path traversal attacks (CVE-2007-4559, CWE-22)Files Changed
moshi/moshi/models/lm.pyline ~979torch.load(..., weights_only=True)moshi/moshi/models/loaders.pylines ~160, ~217, ~295torch.load(..., weights_only=True)moshi/moshi/server.pylines ~333, ~349tarfile.extractall(..., filter='data')moshi/moshi/offline.pyline ~145tarfile.extractall(..., filter='data')Security Impact
torch.load()withoutweights_only=Truedeserializes arbitrary Python objects via pickle, allowing remote code execution if a malicious checkpoint file is loaded. Theweights_only=Trueflag restricts deserialization to tensor data only.tarfile.extractall()withoutfilter='data'can be exploited via crafted archives containing../path components (tar slip / directory traversal). Thefilter='data'argument (available since Python 3.12, backported to 3.11.4+) strips dangerous metadata and blocks absolute/traversal paths.Test Plan
weights_only=Trueon standard.ptcheckpointstarfileextraction ofvoices.tgzanddist.tgzsucceeds withfilter='data'