YAML Metadata Warning:empty or missing yaml metadata in repo card
Check out the documentation for more information.
DL4J ModelSerializer β Remote Code Execution on model load (CWE-502)
org.deeplearning4j.util.ModelSerializer.restoreMultiLayerNetwork(File) /
restoreComputationGraph(File) β the standard DL4J model-load API β read the
preprocessor.bin entry of the model .zip and deserialize it with
new ObjectInputStream(...).readObject(). The bytes come straight from the
attacker-supplied model file, so loading a malicious model executes arbitrary
Java deserialization, and with a gadget on the application classpath, arbitrary code.
Files
malicious-model.zipβ a DL4J model whosepreprocessor.binis a commons-collections gadget that runstouch /tmp/DL4J_RCE_CANARYLoadPoc.javaβ the victim action (loads the model with the normal API)pom.xmlβ DL4J 1.0.0-M2.1 + a representative classpath gadget (commons-collections 3.2.1)BuildMaliciousModel.javaβ how the malicious model was crafted (transparency)
Reproduce
mvn -q dependency:build-classpath -Dmdep.outputFile=cp.txtjavac --release 17 -cp "$(cat cp.txt)" LoadPoc.javarm -f /tmp/DL4J_RCE_CANARYjava -cp ".:$(cat cp.txt)" LoadPoc- Observe:
/tmp/DL4J_RCE_CANARYnow exists β the command ran duringrestoreMultiLayerNetwork= RCE.
Notes
- The deserialization SINK is unconditional: a model whose
preprocessor.binis any serialized object is deserialized on load (e.g. a plainHashMapis deserialized, then fails the(DataSetPreProcessor)cast). No valid config/coefficients are required to reach it. - DL4J's own default dep is
commons-collections4:4.1(opt-in serialization guard), so a bare classpath has no usable gadget; RCE is realized with any unguarded gadget (older commons-collections, commons-beanutils, Spring, etc.) β ubiquitous in JVM/Spark/Hadoop ML deployments.
Fix
Do not use ObjectInputStream on untrusted model data. Replace with a safe serializer
for DataSetPreProcessor, or wrap with a strict ObjectInputFilter allowlist.
Inference Providers NEW
This model isn't deployed by any Inference Provider. π Ask for provider support