Advisories for Pypi/Ms-Swift package

I. Detailed Description: Install ms-swift pip install ms-swift -U Start web-ui swift web-ui –lang en After startup, access through browser at http://localhost:7860/ to see the launched fine-tuning framework program Fill in necessary parameters In the LLM Training interface, fill in required parameters including Model id, Dataset Code. The –output_dir can be filled arbitrarily as it will be modified later through packet capture Click Begin to start training. Capture packets and …

A Remote Code Execution (RCE) vulnerability exists in the modelscope/ms-swift project due to unsafe use of yaml.load() in combination with vulnerable versions of the PyYAML library (≤ 5.3.1). The issue resides in the tests/run.py script, where a user-supplied YAML configuration file is deserialized using yaml.load() with yaml.FullLoader. If an attacker can control or replace the YAML configuration file provided to the –run_config argument, they may inject a malicious payload that …

This appears to be a security vulnerability report describing a remote code execution (RCE) exploit in the ms-swift framework through malicious pickle deserialization in adapter model files. The vulnerability allows arbitrary command execution when loading specially crafted adapter models from ModelScope. This occurs when using machine torch version < 2.6.0, while ms-swift accepts torch version >= 2.0 I. Detailed Description: Install ms-swift pip install ms-swift -U Start web-ui swift web-ui …