Name of the Vulnerable Software and Affected Versions DGL (affected versions not specified)

Description The issue concerns the use of pickle serialization and deserialization in the RPC server of DGL, which poses a known risk for remote code execution due to vulnerabilities in pickle deserialization functionality. When running DGL distributed training and inference, assigning public IPs to instances in the cluster may increase the risk.

Recommendations For all versions of DGL, as a temporary workaround, consider restricting access to the RPC server by not assigning public IPs to any instance in the cluster when running DGL distributed training and inference. At the moment, there is no information about a newer version that contains a fix for this vulnerability.