GHSA-7c78-rm87-5673: MS SWIFT WEB-UI RCE Vulnerability

I. Detailed Description:

  1. Install ms-swift
pip install ms-swift -U
  1. Start web-ui
swift web-ui --lang en

  1. After startup, access through browser at http://localhost:7860/ to see the launched fine-tuning framework program

  2. Fill in necessary parameters In the LLM Training interface, fill in required parameters including Model id, Dataset Code. The –output_dir can be filled arbitrarily as it will be modified later through packet capture

  3. Click Begin to start training. Capture packets and modify the parameter corresponding to –output_dir

You can see the concatenated command being executed in the terminal where web-ui was started

  1. Wait for the program to run (testing shows it requires at least 5 minutes), and you can observe the effect of command execution creating files

II. Vulnerability Proof:

/tmp/xxx'; touch /tmp/inject_success_1; #

III. Fix Solution:

  1. The swift.ui.llm_train.llm_train.LLMTrain#train() method should not directly concatenate parameters with commands after receiving commands from the frontend
  2. The swift.ui.llm_train.llm_train.LLMTrain#train_local() method should not use os.system for execution, but should be changed to subprocess.run([cmd, arg1, arg2…]) format

References

Code Behaviors & Features

Detect and mitigate GHSA-7c78-rm87-5673 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →