{ "generated_at": "2026-02-21T02:44:58.666233+00:00", "findings": [ { "description": "Package requires trust_remote_code to load custom model code via auto_map (dynamic code execution risk).", "evidence": "config.json: \"auto_map\": {\"AutoConfig\": \"configuration_phi3.Phi3Config\", \"AutoModelForCausalLM\": \"modeling_phi3.Phi3ForCausalLM\", \"AutoTokenizer\": \"Xenova/gpt-4o\"}", "confidence": 0.95, "severity": 4, "mitigation": "Avoid trust_remote_code when possible by using the built-in transformers implementation (Phi3 in >=4.49). If custom code is required, vendor and review the code locally, pin to a specific commit hash, and run in a sandboxed environment. Remove/override auto_map in config before distribution to prevent inadvertent remote code loading." }, { "description": "AutoTokenizer in auto_map points to external repository \"Xenova/gpt-4o\" (supply-chain/code-execution risk when trust_remote_code=True).", "evidence": "config.json: \"AutoTokenizer\": \"Xenova/gpt-4o\" (not a local module path). With trust_remote_code enabled, resolving AutoTokenizer may fetch/execute code from another repo.", "confidence": 0.85, "severity": 4, "mitigation": "Replace AutoTokenizer mapping with a standard tokenizer class (e.g., GPT2TokenizerFast) or a local module. Do not reference external repos in auto_map. If unavoidable, pin to a specific commit and audit that repository." }, { "description": "Examples instruct enabling trust_remote_code=True in both Transformers and vLLM (increases RCE exposure).", "evidence": "README.md: AutoModelForCausalLM.from_pretrained(..., trust_remote_code=True); README.md: llm = LLM(model=\"microsoft/Phi-4-mini-instruct\", trust_remote_code=True); sample_finetune.py: model_kwargs includes trust_remote_code=True.", "confidence": 0.9, "severity": 4, "mitigation": "Publish examples that work with trust_remote_code=False. If custom code is necessary, add warnings, pin to a specific commit SHA, and recommend isolated environments (containers, network egress disabled during load)." }, { "description": "Vulnerable dependency: PyTorch 2.5.1 has multiple high/critical advisories (RCE/DoS).", "evidence": "query_vulns(torch==2.5.1): includes PYSEC-2025-41 / CVE-2025-32434 (CVSS 9.8, fixed in 2.6.0), GHSA-4vmg-rw8f-92f9 (CVSS 9.8), and others.", "confidence": 0.9, "severity": 4, "mitigation": "Upgrade to torch>=2.6.0 (and preferably latest stable >=2.8.0 where remaining issues are fixed). Rebuild CUDA extensions accordingly and re-test." }, { "description": "Vulnerable dependency: vLLM 0.7.3 contains multiple critical CVEs enabling remote compromise.", "evidence": "query_vulns(vllm==0.7.3): GHSA-hj4w-hm2g-p6w5 (CVSS 10.0, fixed in 0.8.5), GHSA-ggpf-24jw-3fcw (CVSS 9.8, fixed in 0.8.0), GHSA-hjq4-87xh-g4fv (CVSS 9.8, fixed in 0.8.5), plus others.", "confidence": 0.9, "severity": 4, "mitigation": "Upgrade to vllm>=0.8.5 (or latest). Review release notes for any security-relevant configuration changes. Avoid exposing vLLM HTTP endpoints to untrusted networks until patched." }, { "description": "Vulnerable dependency: Transformers 4.48.1 (recommended in sample_finetune) includes a High-severity CVE.", "evidence": "query_vulns(transformers==4.48.1): PYSEC-2025-40 / CVE-2025-2099 (CVSS 7.5), plus several medium issues.", "confidence": 0.9, "severity": 4, "mitigation": "Use transformers>=4.52.1 (or latest >=4.53.0 per advisories). Ensure examples and training scripts are updated consistently." }, { "description": "Vulnerable dependency: Transformers 4.49.0 (recommended in README) has multiple medium-severity CVEs.", "evidence": "query_vulns(transformers==4.49.0): GHSA-37mw-44qp-f5jm, GHSA-489j-g2vx-39wf, etc. (CVSS ~5.3).", "confidence": 0.9, "severity": 3, "mitigation": "Upgrade to transformers>=4.52.1 (or latest >=4.53.0). Align all scripts/docs to the same secure version to avoid version drift." }, { "description": "Conflicting/unpinned dependency guidance across docs (e.g., transformers==4.49.0 in README vs 4.48.1 in sample_finetune; \"vllm>=0.7.3\"). Increases risk of installing vulnerable versions.", "evidence": "README.md and sample_finetune.py show different transformers pins; vLLM is lower-bounded only (>=0.7.3).", "confidence": 0.8, "severity": 2, "mitigation": "Provide a single, pinned, known-good requirements file (requirements.txt or environment.yml) with secure versions: torch>=2.6.0, transformers>=4.52.1, vllm>=0.8.5, accelerate 1.3.0+, peft 0.14.0+, etc." }, { "description": "Model weights use safe format (safetensors), avoiding pickle-based RCE risk.", "evidence": "Files: model-00001-of-00002.safetensors, model-00002-of-00002.safetensors; model.safetensors.index.json present.", "confidence": 0.99, "severity": 1, "mitigation": "None needed. Continue distributing weights exclusively as .safetensors." }, { "description": "No dangerous code patterns found in repository Python files (no eval/exec/pickle/subprocess/requests usage).", "evidence": "Searched configuration_phi3.py, modeling_phi3.py, sample_finetune.py for eval/exec/pickle/subprocess/requests/urllib/socket/base64/open; no hits of concern.", "confidence": 0.9, "severity": 1, "mitigation": "Keep examples minimal and avoid network/file side effects in repository code." }, { "description": "No published checksums for model weights.", "evidence": "No SHA256/MD5 checksum files alongside *.safetensors; only index JSON.", "confidence": 0.8, "severity": 2, "mitigation": "Publish SHA256 checksums (and preferably signing via Sigstore or detached GPG signatures) for each safetensors shard and index to enable integrity verification before download." } ] }