| { |
| "generated_at": "2026-02-22T00:09:12.901048+00:00", |
| "findings": [ |
| { |
| "description": "Malicious/destructive code in model forward pass deletes files in the model directory on inference", |
| "evidence": "modeling_phi3.py:53-60 defines list_files_in_current_folder() that iterates current directory and calls os.remove(...); modeling_phi3.py:924 calls list_files_in_current_folder() inside Phi3ForCausalLM.forward()", |
| "confidence": 0.99, |
| "severity": 5, |
| "mitigation": "Do NOT set trust_remote_code=True and do not execute this repository’s custom code. Remove the list_files_in_current_folder function and its invocation from modeling_phi3.py before any use. Prefer loading the official Phi3 architecture from transformers with trust_remote_code=False. If inspection is required, only run in a sandboxed, read-only environment." |
| }, |
| { |
| "description": "Repository requires/encourages trust_remote_code=True, enabling arbitrary code execution from this repo", |
| "evidence": "config.json auto_map requires loading configuration_phi3.Phi3Config and modeling_phi3.Phi3ForCausalLM; README examples show trust_remote_code=True; sample_finetune.py sets trust_remote_code=True in model_kwargs", |
| "confidence": 0.95, |
| "severity": 4, |
| "mitigation": "Avoid trust_remote_code. Use the official transformers implementation of Phi3 with trust_remote_code=False. Remove auto_map from config.json or vendor/review the code and pin to a specific, vetted commit, and run in a locked-down environment." |
| }, |
| { |
| "description": "AutoTokenizer auto_map points to external repo (Xenova/gpt-4o), adding supply-chain risk and potential remote code load", |
| "evidence": "config.json: \"auto_map\": { \"AutoConfig\": \"configuration_phi3.Phi3Config\", \"AutoModelForCausalLM\": \"modeling_phi3.Phi3ForCausalLM\", \"AutoTokenizer\": \"Xenova/gpt-4o\" }", |
| "confidence": 0.9, |
| "severity": 4, |
| "mitigation": "Replace the AutoTokenizer mapping with a local safe tokenizer (e.g., GPT2Tokenizer) and remove any external repo references. Ensure trust_remote_code is False when resolving the tokenizer." |
| }, |
| { |
| "description": "Vulnerable PyTorch version pinned in README (torch==2.5.1) with critical CVEs", |
| "evidence": "README.md requires torch==2.5.1; query_vulns: CVE-2025-32434 (CVSS 9.8) and others affecting PyTorch 2.5.1", |
| "confidence": 0.92, |
| "severity": 4, |
| "mitigation": "Upgrade to a patched release (e.g., torch>=2.8.0, at least >=2.6.0 for some fixes). Rebuild wheels for your CUDA stack and revalidate." |
| }, |
| { |
| "description": "VLLM guidance includes vulnerable versions (vllm>=0.7.3) with CVSS up to 10.0", |
| "evidence": "README.md: vllm>=0.7.3; query_vulns shows GHSA-hj4w-hm2g-p6w5 fixed in 0.8.5 (CVSS 10.0) and others", |
| "confidence": 0.9, |
| "severity": 4, |
| "mitigation": "Pin to vllm>=0.8.5 (or latest patched). Use constraints to prevent downgrade and review release security notes." |
| }, |
| { |
| "description": "Sample fine-tune instructions pin transformers==4.48.1 with high-severity CVEs", |
| "evidence": "sample_finetune.py instructions: pip install transformers==4.48.1; query_vulns: PYSEC-2025-40 (CVE-2025-2099, CVSS 7.5) and others", |
| "confidence": 0.88, |
| "severity": 4, |
| "mitigation": "Use transformers>=4.53.0 (or >=4.52.1 for partial fixes). Update documentation and enforce version constraints/lockfiles." |
| }, |
| { |
| "description": "Model config references vulnerable transformers 4.45.0", |
| "evidence": "config.json: \"transformers_version\": \"4.45.0\"; query_vulns lists multiple 8.8 CVSS issues fixed in 4.48.0", |
| "confidence": 0.8, |
| "severity": 4, |
| "mitigation": "Ensure runtime uses a patched transformers version (>=4.48.0, ideally >=4.53.0). Do not install 4.45.0." |
| }, |
| { |
| "description": "README recommends transformers==4.49.0 which has medium-severity issues", |
| "evidence": "README.md: transformers==4.49.0; query_vulns shows CVEs around 5.3 CVSS", |
| "confidence": 0.85, |
| "severity": 3, |
| "mitigation": "Prefer transformers>=4.53.0 which addresses listed CVEs. Pin exact versions and verify against advisories." |
| }, |
| { |
| "description": "Weights use safetensors format (safer than pickle)", |
| "evidence": "Present: model-00001-of-00002.safetensors, model-00002-of-00002.safetensors, model.safetensors.index.json; no .bin/.pkl", |
| "confidence": 0.99, |
| "severity": 1, |
| "mitigation": "Continue distributing via safetensors; avoid pickle-based formats." |
| }, |
| { |
| "description": "No published checksums/signatures for weight shards", |
| "evidence": "No checksum/signature files for model-*.safetensors in repository", |
| "confidence": 0.7, |
| "severity": 2, |
| "mitigation": "Publish SHA256/SHA512 checksums or a signed manifest for all weight files and verify during download/CI." |
| } |
| ] |
| } |
