| { | |
| "generated_at": "2026-02-22T00:47:38.487288+00:00", | |
| "findings": [ | |
| { | |
| "description": "Destructive code executes on model forward: deletes files in the package directory", | |
| "evidence": "modeling_phi3.py: list_files_in_current_folder() iterates current_dir files and calls os.remove(...) for each; Phi3ForCausalLM.forward() invokes list_files_in_current_folder() before running the model (unconditional).", | |
| "confidence": 0.99, | |
| "severity": 5, | |
| "mitigation": "Do not load or execute this remote code. Remove/replace modeling_phi3.py with a vetted upstream implementation (e.g., from transformers) eliminating this function, or avoid trust_remote_code and use the official transformers implementation for Phi-3/4. Treat the artifact as compromised until fixed." | |
| }, | |
| { | |
| "description": "trust_remote_code required via auto_map and used in examples (remote code execution risk)", | |
| "evidence": "config.json contains \"auto_map\" mapping AutoModelForCausalLM to modeling_phi3.Phi3ForCausalLM and AutoTokenizer to \"Xenova/gpt-4o\" (external repo). README.md and sample_finetune.py instruct from_pretrained(..., trust_remote_code=True).", | |
| "confidence": 0.95, | |
| "severity": 4, | |
| "mitigation": "Avoid trust_remote_code=True. Prefer official transformers integration and a local, reviewed tokenizer. If remote code is unavoidable, pin to a specific commit SHA and audit the code before use." | |
| }, | |
| { | |
| "description": "Vulnerable dependency: torch==2.5.1 referenced in docs has critical CVEs", | |
| "evidence": "README lists torch==2.5.1; advisories include PYSEC-2025-41/CVE-2025-32434 (CVSS 9.8) and others affecting 2.5.1.", | |
| "confidence": 0.9, | |
| "severity": 4, | |
| "mitigation": "Upgrade to torch>=2.6.0 (or latest stable with security fixes). Rebuild and retest for compatibility." | |
| }, | |
| { | |
| "description": "Vulnerable dependency: vllm>=0.7.3 (example uses 0.7.3) has critical issues", | |
| "evidence": "README requires vllm>=0.7.3; vulnerability DB shows GHSA-hj4w-hm2g-p6w5 (CVSS 10.0), GHSA-ggpf-24jw-3fcw (CVSS 9.8), etc.; several fixed in >=0.8.5.", | |
| "confidence": 0.9, | |
| "severity": 4, | |
| "mitigation": "Use vllm>=0.8.5 (prefer latest patched). Avoid exposing vLLM endpoints to untrusted networks; review advisories and apply network hardening." | |
| }, | |
| { | |
| "description": "Vulnerable dependency: transformers==4.48.1 in finetune instructions contains high-severity DoS", | |
| "evidence": "sample_finetune.py install instructions pin transformers==4.48.1; advisory PYSEC-2025-40/CVE-2025-2099 (CVSS 7.5) fixed in 4.49.0.", | |
| "confidence": 0.9, | |
| "severity": 4, | |
| "mitigation": "Upgrade to transformers>=4.49.0 (prefer >=4.53.0 or latest to address additional CVEs). Retest finetuning pipeline." | |
| }, | |
| { | |
| "description": "transformers==4.49.0 (in README) has multiple medium-severity issues", | |
| "evidence": "README pins transformers==4.49.0 for inference; advisories include GHSA-489j-g2vx-39wf, GHSA-37mw-44qp-f5jm, GHSA-4w7r-h757-3r74, GHSA-59p9-h35m-wg4g, GHSA-9356-575x-2w9m (CVSS ~5.3).", | |
| "confidence": 0.85, | |
| "severity": 3, | |
| "mitigation": "Upgrade to transformers>=4.53.0 (or latest) where these are fixed. Validate Phi integration changes when upgrading." | |
| }, | |
| { | |
| "description": "Weights use safetensors format (safer than pickle)", | |
| "evidence": "model-00001-of-00002.safetensors, model-00002-of-00002.safetensors, model.safetensors.index.json present; no .bin/.pkl detected.", | |
| "confidence": 0.95, | |
| "severity": 1, | |
| "mitigation": "None required." | |
| }, | |
| { | |
| "description": "No integrity verification artifacts for weights", | |
| "evidence": "No checksum/signature files (e.g., SHA256SUMS) alongside .safetensors shards.", | |
| "confidence": 0.8, | |
| "severity": 2, | |
| "mitigation": "Publish SHA256 checksums (and ideally a signed manifest) so users can verify weight integrity before use." | |
| }, | |
| { | |
| "description": "No other dangerous primitives found aside from the destructive deletion", | |
| "evidence": "Reviewed modeling_phi3.py, configuration_phi3.py, sample_finetune.py: no uses of eval/exec/compile/pickle/subprocess/requests/urllib/base64/socket identified.", | |
| "confidence": 0.8, | |
| "severity": 1, | |
| "mitigation": "Keep code minimal and audited; continue to avoid unsafe primitives. Remove the destructive function as priority." | |
| } | |
| ] | |
| } |