CVE-2024-5480

Name of the Vulnerable Software and Affected Versions: PyTorch versions prior to 2.2.2

Description: The vulnerability in PyTorch's torch.distributed.rpc framework allows for remote code execution (RCE) due to the lack of proper verification of functions being called during RPC operations. This oversight permits attackers to execute arbitrary commands by leveraging built-in Python functions such as eval during multi-cpu RPC communication. The vulnerability arises from the lack of restriction on function calls when a worker node serializes and sends a PythonUDF (User Defined Function) to the master node, which then deserializes and executes the function without validation. This flaw can be exploited to compromise master nodes initiating distributed training, potentially leading to the theft of sensitive AI-related data.

Recommendations: For versions prior to 2.2.2, update to version 2.2.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the torch.distributed.rpc framework or disabling the use of PythonUDF (User Defined Function) until a patch is available. Avoid using the eval function in multi-cpu RPC communication to minimize the risk of exploitation.