GHSA-3x5x-fw77-g54c
Suggest an improvement- Source
- https://github.com/advisories/GHSA-3x5x-fw77-g54c
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-3x5x-fw77-g54c/GHSA-3x5x-fw77-g54c.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-3x5x-fw77-g54c
- Published
- 2025-03-05T19:50:09Z
- Modified
- 2025-03-05T20:09:21.358666Z
- Severity
-
- 8.9 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P CVSS Calculator
- Summary
- dmlc/dgl Vulnerable to Remote Code Execution by Pickle Deserialization via rpc.recv_request()
- Details
-
Impact
Dgl implements rpc server (startserver() in rpcserver.py) for supporting the RPC communications among different remote users over networks. It relies on pickle serialize and deserialize to pack and unpack network messages. The is a known risk in pickle deserialization functionality that can be used for remote code execution.
Patches
TBD.
Workarounds
When running DGL distributed training and inference (DistDGL) make sure you do not assign public IPs to any instance in the cluster.
References
Issue #7874
Reported by
Pinji Chen (cpj24@mails.tsinghua.edu.cn) from NISL lab (https://netsec.ccert.edu.cn/about) at Tsinghua University
- Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-502" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2025-03-05T19:50:09Z" }- References
Affected packages
PyPI / dgl
Package
- Name
- dgl
- View open source insights on deps.dev
- Purl
- pkg:pypi/dgl
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedLast affected2.4.0
Affected versions
0.*
0.0.1
0.1.0
0.1.2
0.1.3
0.2
0.3
0.3.1
0.4rc190819
0.4rc190821
0.4rc190822
0.4rc190823
0.4rc190824
0.4rc190826
0.4rc190902
0.4rc190903
0.4rc190904
0.4rc190905
0.4rc190906
0.4rc190908
0.4rc190909
0.4rc190910
0.4rc190911
0.4rc190912
0.4rc190915
0.4rc190916
0.4rc190917
0.4rc190918
0.4rc190920
0.4rc190921
0.4rc190923
0.4rc190924
0.4rc190927
0.4rc190928
0.4rc190929
0.4rc191001
0.4rc191003
0.4rc191004
0.4rc191005
0.4
0.4.1
0.4.2
0.4.3
0.4.3.post1
0.4.3.post2
0.5.0
0.5.1
0.5.2
0.5.3
0.6.0
0.6.0.post1
0.6.1
0.8.0.post1
0.9.0
0.9.1
1.*
1.0.0
1.0.1
1.0.4
1.1.0
1.1.1
1.1.2
1.1.2.post1
1.1.3
2.*
2.0.0
2.1.0
2.2.0
2.2.1