--- Vulnerability Overview Vulnerability Type: CWE-434: Arbitrary File Upload with Dangerous Type Severity: High (8.8) - Attack Vector: Network - Attack Complexity: Low - Required Privileges: None - User Interaction: Required - Scope: Unchanged - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High Vulnerable Codebase: Pypi - Affected Version: 0.11.16 Vulnerability Status: Informative Discoverer: - User: life-team2024 @life-team2024 - User Level: MIDDLEWEIGHT --- Vulnerability Details Target: - Environment: - Core Issue: Attackers can exploit malicious pickle files to trigger arbitrary code execution via the function. Vulnerable Code: - Code: - Vulnerability Analysis: The function is used within . When a victim loads a file containing a class that defines the method, this method is automatically executed — a feature of Python’s pickle deserialization mechanism. This vulnerability allows attackers to trigger unintended code execution or run arbitrary commands. Proof of Concept: - Concept: I configured the function to execute the command and created a malicious folder structure matching the required format for BGEM3Index. - Code: - After Running Code: The attacker can create a malicious folder named . - If Victim Downloads the Storage Folder and Runs : The command executes on the victim’s PC. - Inspiration: I was inspired by the following vulnerability reports to identify and report this issue: Article 1, Article 2, Article 3 Remediation Suggestion: Since the vulnerability arises during , it is recommended to either remove this class or add a parameter such as to explicitly warn users about the risks of using this function. Impact: If attackers upload malicious folders to model-sharing platforms like Hugging Face Hub, they can launch attacks on multiple PCs that download and load the model. --- Incident History and Discussion Control Permissions: - Incident History and Details: - Marked as level and listed alongside similar vulnerability reports targeting the team. - Security vulnerability report submitted to project maintainers on GitHub, one year ago. - Report severity downgraded by ETF-runner-helper, one year ago. - Project maintainers confirmed the report, one year ago. - Planned release date automatically extended from January 2, 2025, to January 9, 2025, one year ago. - Comment by run-llama/llama_index maintainer, one year ago. - Comment by life-team2024, one year ago. - Comment by ETF-runner-helper, one year ago. - Comment by life-team2024, one year ago. Automated Actions: - Report submitted to internal tracking system, one year ago. - Project maintainers of run-llama/llama_index notified, one year ago. - Research capability penalized for misjudging severity.