| { | |
| "generated_at": "2026-02-21T02:44:58.666233+00:00", | |
| "findings": [ | |
| { | |
| "description": "Package requires trust_remote_code to load custom model code via auto_map (dynamic code execution risk).", | |
| "evidence": "config.json: \"auto_map\": {\"AutoConfig\": \"configuration_phi3.Phi3Config\", \"AutoModelForCausalLM\": \"modeling_phi3.Phi3ForCausalLM\", \"AutoTokenizer\": \"Xenova/gpt-4o\"}", | |
| "confidence": 0.95, | |
| "severity": 4, | |
| "mitigation": "Avoid trust_remote_code when possible by using the built-in transformers implementation (Phi3 in >=4.49). If custom code is required, vendor and review the code locally, pin to a specific commit hash, and run in a sandboxed environment. Remove/override auto_map in config before distribution to prevent inadvertent remote code loading." | |
| }, | |
| { | |
| "description": "AutoTokenizer in auto_map points to external repository \"Xenova/gpt-4o\" (supply-chain/code-execution risk when trust_remote_code=True).", | |
| "evidence": "config.json: \"AutoTokenizer\": \"Xenova/gpt-4o\" (not a local module path). With trust_remote_code enabled, resolving AutoTokenizer may fetch/execute code from another repo.", | |
| "confidence": 0.85, | |
| "severity": 4, | |
| "mitigation": "Replace AutoTokenizer mapping with a standard tokenizer class (e.g., GPT2TokenizerFast) or a local module. Do not reference external repos in auto_map. If unavoidable, pin to a specific commit and audit that repository." | |
| }, | |
| { | |
| "description": "Examples instruct enabling trust_remote_code=True in both Transformers and vLLM (increases RCE exposure).", | |
| "evidence": "README.md: AutoModelForCausalLM.from_pretrained(..., trust_remote_code=True); README.md: llm = LLM(model=\"microsoft/Phi-4-mini-instruct\", trust_remote_code=True); sample_finetune.py: model_kwargs includes trust_remote_code=True.", | |
| "confidence": 0.9, | |
| "severity": 4, | |
| "mitigation": "Publish examples that work with trust_remote_code=False. If custom code is necessary, add warnings, pin to a specific commit SHA, and recommend isolated environments (containers, network egress disabled during load)." | |
| }, | |
| { | |
| "description": "Vulnerable dependency: PyTorch 2.5.1 has multiple high/critical advisories (RCE/DoS).", | |
| "evidence": "query_vulns(torch==2.5.1): includes PYSEC-2025-41 / CVE-2025-32434 (CVSS 9.8, fixed in 2.6.0), GHSA-4vmg-rw8f-92f9 (CVSS 9.8), and others.", | |
| "confidence": 0.9, | |
| "severity": 4, | |
| "mitigation": "Upgrade to torch>=2.6.0 (and preferably latest stable >=2.8.0 where remaining issues are fixed). Rebuild CUDA extensions accordingly and re-test." | |
| }, | |
| { | |
| "description": "Vulnerable dependency: vLLM 0.7.3 contains multiple critical CVEs enabling remote compromise.", | |
| "evidence": "query_vulns(vllm==0.7.3): GHSA-hj4w-hm2g-p6w5 (CVSS 10.0, fixed in 0.8.5), GHSA-ggpf-24jw-3fcw (CVSS 9.8, fixed in 0.8.0), GHSA-hjq4-87xh-g4fv (CVSS 9.8, fixed in 0.8.5), plus others.", | |
| "confidence": 0.9, | |
| "severity": 4, | |
| "mitigation": "Upgrade to vllm>=0.8.5 (or latest). Review release notes for any security-relevant configuration changes. Avoid exposing vLLM HTTP endpoints to untrusted networks until patched." | |
| }, | |
| { | |
| "description": "Vulnerable dependency: Transformers 4.48.1 (recommended in sample_finetune) includes a High-severity CVE.", | |
| "evidence": "query_vulns(transformers==4.48.1): PYSEC-2025-40 / CVE-2025-2099 (CVSS 7.5), plus several medium issues.", | |
| "confidence": 0.9, | |
| "severity": 4, | |
| "mitigation": "Use transformers>=4.52.1 (or latest >=4.53.0 per advisories). Ensure examples and training scripts are updated consistently." | |
| }, | |
| { | |
| "description": "Vulnerable dependency: Transformers 4.49.0 (recommended in README) has multiple medium-severity CVEs.", | |
| "evidence": "query_vulns(transformers==4.49.0): GHSA-37mw-44qp-f5jm, GHSA-489j-g2vx-39wf, etc. (CVSS ~5.3).", | |
| "confidence": 0.9, | |
| "severity": 3, | |
| "mitigation": "Upgrade to transformers>=4.52.1 (or latest >=4.53.0). Align all scripts/docs to the same secure version to avoid version drift." | |
| }, | |
| { | |
| "description": "Conflicting/unpinned dependency guidance across docs (e.g., transformers==4.49.0 in README vs 4.48.1 in sample_finetune; \"vllm>=0.7.3\"). Increases risk of installing vulnerable versions.", | |
| "evidence": "README.md and sample_finetune.py show different transformers pins; vLLM is lower-bounded only (>=0.7.3).", | |
| "confidence": 0.8, | |
| "severity": 2, | |
| "mitigation": "Provide a single, pinned, known-good requirements file (requirements.txt or environment.yml) with secure versions: torch>=2.6.0, transformers>=4.52.1, vllm>=0.8.5, accelerate 1.3.0+, peft 0.14.0+, etc." | |
| }, | |
| { | |
| "description": "Model weights use safe format (safetensors), avoiding pickle-based RCE risk.", | |
| "evidence": "Files: model-00001-of-00002.safetensors, model-00002-of-00002.safetensors; model.safetensors.index.json present.", | |
| "confidence": 0.99, | |
| "severity": 1, | |
| "mitigation": "None needed. Continue distributing weights exclusively as .safetensors." | |
| }, | |
| { | |
| "description": "No dangerous code patterns found in repository Python files (no eval/exec/pickle/subprocess/requests usage).", | |
| "evidence": "Searched configuration_phi3.py, modeling_phi3.py, sample_finetune.py for eval/exec/pickle/subprocess/requests/urllib/socket/base64/open; no hits of concern.", | |
| "confidence": 0.9, | |
| "severity": 1, | |
| "mitigation": "Keep examples minimal and avoid network/file side effects in repository code." | |
| }, | |
| { | |
| "description": "No published checksums for model weights.", | |
| "evidence": "No SHA256/MD5 checksum files alongside *.safetensors; only index JSON.", | |
| "confidence": 0.8, | |
| "severity": 2, | |
| "mitigation": "Publish SHA256 checksums (and preferably signing via Sigstore or detached GPG signatures) for each safetensors shard and index to enable integrity verification before download." | |
| } | |
| ] | |
| } |