| { |
| "generated_at": "2026-02-21T05:45:55.193772+00:00", |
| "findings": [ |
| { |
| "description": "Requires executing custom code on model load due to `auto_map` entries (requires `trust_remote_code=True`), enabling arbitrary code execution if repo is compromised or mirrored.", |
| "evidence": "config.json:5-9 (`\"auto_map\": {\"AutoConfig\": \"configuration_phi3.Phi3Config\", \"AutoModelForCausalLM\": \"modeling_phi3.Phi3ForCausalLM\", \"AutoTokenizer\": \"Xenova/gpt-4o\"}`); README.md + sample_finetune.py instruct `trust_remote_code=True`.", |
| "confidence": 0.95, |
| "severity": 4, |
| "mitigation": "Prefer `trust_remote_code=False` by using the official Transformers implementation (Phi3/Phi4 in modern transformers). If custom code is necessary, vendor the code locally, pin to an immutable commit hash, and load from a verified local path in a sandbox (container, no network egress during load). Consider removing `auto_map` before distributing." |
| }, |
| { |
| "description": "Supply-chain risk: `AutoTokenizer` in `auto_map` points to external repo `Xenova/gpt-4o`, which may trigger fetching/executing remote code when resolving tokenizer (especially with `trust_remote_code=True`).", |
| "evidence": "config.json:5-9 (`\"AutoTokenizer\": \"Xenova/gpt-4o\"`).", |
| "confidence": 0.85, |
| "severity": 4, |
| "mitigation": "Replace with a standard tokenizer class shipped with transformers (e.g., GPT2TokenizerFast) or a local module path. Avoid cross-repo `auto_map` references; if unavoidable, pin exact revision and audit that repo." |
| }, |
| { |
| "description": "Vulnerable dependency guidance: README recommends `torch==2.5.1`, which has critical/high vulnerabilities (including CVE-2025-32434, CVSS 9.8; fixed in 2.6.0).", |
| "evidence": "README.md (Requirements section): `torch==2.5.1`; query_vulns(torch==2.5.1): CVE-2025-32434 / PYSEC-2025-41 (fixed 2.6.0) and GHSA-4vmg-rw8f-92f9 (CVSS 9.8).", |
| "confidence": 0.9, |
| "severity": 4, |
| "mitigation": "Update docs/requirements to `torch>=2.6.0` (or latest stable) and re-test CUDA/flash-attn builds accordingly." |
| }, |
| { |
| "description": "Vulnerable dependency guidance: README suggests `vllm>=0.7.3`; vLLM 0.7.3 is affected by multiple critical vulnerabilities (up to CVSS 10.0) fixed in >=0.8.5.", |
| "evidence": "README.md (vLLM requirements): `vllm>=0.7.3`; query_vulns(vllm==0.7.3): GHSA-hj4w-hm2g-p6w5 (CVSS 10.0, fixed 0.8.5), GHSA-ggpf-24jw-3fcw (CVSS 9.8, fixed 0.8.0), GHSA-hjq4-87xh-g4fv (CVSS 9.8, fixed 0.8.5), etc.", |
| "confidence": 0.9, |
| "severity": 4, |
| "mitigation": "Change guidance to `vllm>=0.8.5` (or latest). If running any vLLM server, keep it off untrusted networks until patched." |
| }, |
| { |
| "description": "Vulnerable dependency guidance: `transformers==4.48.1` pinned in sample_finetune has CVE-2025-2099 (CVSS 7.5) and other issues.", |
| "evidence": "sample_finetune.py: installation steps include `pip3 install transformers==4.48.1`; query_vulns(transformers==4.48.1): PYSEC-2025-40 / CVE-2025-2099 (CVSS 7.5, fixed 4.49.0).", |
| "confidence": 0.9, |
| "severity": 4, |
| "mitigation": "Update scripts/docs to a patched release, preferably `transformers>=4.53.0` (or at least >=4.52.1 per advisories), and keep one consistent pinned version across materials." |
| }, |
| { |
| "description": "Transformers version drift: README recommends 4.49.0 (still has multiple medium CVEs); sample_finetune recommends 4.48.1 (has a high CVE). Increases likelihood users install vulnerable versions.", |
| "evidence": "README.md: `transformers==4.49.0`; sample_finetune.py: `transformers==4.48.1`; query_vulns(transformers==4.49.0) shows multiple CVEs (CVSS 5.3) fixed in 4.51.0/4.52.1/4.53.0.", |
| "confidence": 0.8, |
| "severity": 2, |
| "mitigation": "Provide a single `requirements.txt`/`environment.yml` with known-good minimums and align README + scripts to it." |
| }, |
| { |
| "description": "Model weights are in `.safetensors` shards (safe vs pickle-based `.bin`/`.pkl`).", |
| "evidence": "Files: model-00001-of-00002.safetensors, model-00002-of-00002.safetensors; model.safetensors.index.json present.", |
| "confidence": 0.99, |
| "severity": 1, |
| "mitigation": "Keep distributing weights exclusively in `.safetensors`." |
| }, |
| { |
| "description": "No obvious dangerous code patterns in included Python modules (no eval/exec/pickle/subprocess/network usage detected in audited files).", |
| "evidence": "Searched repo: no matches for `eval(`, `exec(`, `pickle`, `subprocess`, `requests`, `urllib`, `socket` outside the pre-generated security_report_gpt5.json; reviewed modeling_phi3.py and configuration_phi3.py imports show no network/process primitives.", |
| "confidence": 0.9, |
| "severity": 1, |
| "mitigation": "Continue to avoid side-effectful code in model modules; keep examples from performing network/file operations beyond expected training artifacts." |
| }, |
| { |
| "description": "No checksum/signature files provided for weight shards, reducing integrity verification assurance.", |
| "evidence": "Directory listing: no *.sha256/*.md5/*.sig files for `model-00001-of-00002.safetensors` / `model-00002-of-00002.safetensors`.", |
| "confidence": 0.8, |
| "severity": 2, |
| "mitigation": "Publish SHA256 checksums and preferably Sigstore/GPG signatures for each shard + index; document verification steps." |
| } |
| ] |
| } |
