repository icon
facebookresearch / fairseq Project repository

Facebook AI Research Sequence-to-Sequence Toolkit written in Python.

Submit a report

FIRST INTERACTION

WITHINN/A DAYS

REVIEW

WITHIN15 DAYS

FIX

WITHINN/A DAYS

Zip Slip in FairseqModel.from_pretrained archive loading in facebookresearch/fai...
lewiswigmore
duplicate
High
Remote code execution via unsafe pickle.loads() in distributed training all_gath...
snakeyworm
duplicate
None
RCE via torch.load(weights_only=False) and Arbitrary Module Import in facebookre...
sucloudflare
duplicate
High
Command injection via unsanitized CLI arguments interpolated into subprocess she...
elliottower
self closed
Arbitrary code execution via unsafe torch.load(weights_only=False) and unprotect...
pulkit7070
duplicate
High
Arbitrary Code Execution via unsafe deserialization in checkpoint loading (torch...
romain-deperne
duplicate
High
Arbitrary File Write via Tar Path Traversal in Model Loading from Remote URLs
nhomyk
duplicate
High
RCE via eval() on optimizer config parameters in adafactor, adamax, adam, cpu_ad...
nhomyk
pending
RCE via Unsafe torch.load(weights_only=False) on HuggingFace Hub Model Checkpoi...
snailsploit
pending
RCE via torch.load(weights_only=False) + pickle.loads() in checkpoints and distr...
nhomyk
duplicate
Critical
Tar traversal in fairseq model archive extraction
sharathunni
duplicate
High
RCE via unsafe torch.load in vocoder checkpoint loading and pretrained decoder
hhhashexe
pending
Unsafe torch.load() Across 4 fairseq Modules Enables RCE via Malicious Checkpoin...
odysseypro25-project
duplicate
Critical
Arbitrary Code Execution via eval(input()) in scripts/compare_namespaces.py — CW...
theoddesseyp-ai
pending
Explicit weights_only=False in load_checkpoint_to_cpu() Enables RCE via Remote C...
theoddesseyp-ai
pending
Explicit weights_only=False in load_checkpoint_to_cpu() enables RCE via Remote C...
theoddesseyp-ai
duplicate
High
Arbitrary Code Execution via pickle.loads() on Untrusted Distributed Training Da...
theoddesseyp-ai
duplicate
High
Path Traversal via archive.extractall() in file_utils.py in facebookresearch/fai...
lexi-core-ai
duplicate
High
Arbitrary Code Execution via eval() in parse_manifest() in facebookresearch/fair...
lexi-core-ai
pending
OS Command Injection via unsanitized --dict argument in build_translation_manife...
lexi-core-ai
pending
Arbitrary Code Execution via eval() on untrusted manifest content in codedataset...
lexi-core-ai
duplicate
High
Arbitrary Code Execution via eval() on user-controlled model_overrides and manif...
narrator3333-hash
duplicate
Critical
SSRF via cached_path() downloading from user-controlled URLs in BPE/tokenizer co...
elucidator-hky
self closed
Arbitrary code execution via eval() on config/args values in multiple modules
elucidator-hky
duplicate
High
Path traversal via unsafe tarfile.extractall() in load_archive_file allows arbit...
elucidator-hky
duplicate
High
Arbitrary code execution via unsafe torch.load(weights_only=False) in fairseq ch...
elucidator-hky
self closed
Unsafe Deserialization via bare torch.load in fairseq checkpoint loading
etwithin
pending
Arbitrary Code Execution via torch.load(weights_only=False) in Checkpoint Loadin...
jeremysommerfeld8910-cpu
pending
Test eval RCE in fairseq manifest parsing
jeremysommerfeld8910-cpu
pending
Arbitrary Code Execution via eval() in Manifest File Parsing (5 instances, disti...
jeremysommerfeld8910-cpu
duplicate
Critical
Path traversal via tarfile.extractall() on archives downloaded from URLs in load...
avienma007
duplicate
Critical
Arbitrary Code Execution via torch.load(weights_only=False) in Checkpoint Loadin...
jeremysommerfeld8910-cpu
duplicate
Critical
Arbitrary Code Execution via eval() in Manifest File Parsing (5 instances)
jeremysommerfeld8910-cpu
duplicate
Critical
Arbitrary Code Execution via eval() in Manifest File Parsing (5 instances)
jeremysommerfeld8910-cpu
self closed
Arbitrary File Write (Zip Slip) in `fairseq.hub_utils.from_pretrained` via `file...
zitoxxx
duplicate
High
Arbitrary Code Execution via eval() on Untrusted Model Configuration Strings in...
optimus-fulcria
duplicate
High
Multiple Critical ACE Vectors via torch.load(weights_only=False), eval(), Hydra...
morecitricacid-coder
pending
Multiple Critical ACE Vectors via torch.load(weights_only=False), eval(), Hydra...
morecitricacid-coder
pending
228-Site Attack Surface — torch.load(weights_only=False) + eval() + subprocess i...
morecitricacid-coder
pending
228-Site Attack Surface — torch.load(weights_only=False) + eval() + subprocess i...
morecitricacid-coder
pending
228-Site Attack Surface — torch.load(weights_only=False) + eval() + subprocess i...
morecitricacid-coder
pending
eval() on manifest file lines in codedataset.py gives RCE through crafted datase...
yanivfi1978
duplicate
High
Remote Code Execution via Unsafe torch.load(weights_only=False) in HuggingFace M...
yanivfi1978
duplicate
High
Arbitrary Code Execution via eval() on Untrusted Manifest Data File Content in p...
phenggeler
pending
Additional RCE via Unsafe eval() in fairseq Core Library (28 Occurrences, 14 Fil...
responsiblereport10
pending
Command Injection via subprocess shell=True
responsiblereport10
pending
Arbitrary Code Execution via Unsafe PyTorch Model Deserialization
responsiblereport10
duplicate
High
Arbitrary Code Execution via Unsafe PyTorch Model Deserialization
responsiblereport10
duplicate
High
Unrestricted URL fetching in `cached_path` enables SSRF-style network access and...
f00dat
pending
Unsafe PyTorch checkpoint deserialization via `torch.load(..., weights_only=Fals...
f00dat
duplicate
Critical
Unsafe tar extraction allows path traversal and arbitrary file write
f00dat
duplicate
Critical
Arbitrary Code Execution via Insecure Model Loading in Fairseq
aydinnyunus
duplicate
High
Remote Code Execution in facebookresearch/fairseq via Unsafe Model Deserializati...
jonnylitten
pending
Remote Code Execution (RCE) via Unsafe eval() on CLI Argument in Fairseq Scripts
imshagufta
pending
Arbitrary Code Execution Leading to Arbitrary File Read via Fairseq's `--user-di...
theneelofficial
pending
Arbitrary File Write via Path Traversal
theneelofficial
pending
Path Traversal
sahiloj
pending
Remote Code Execution by Pickle Deserialization via distributed.utils.all_gather...
chenpinji
pending
Arbitrary File Overwrite in from_pretrained api
sunrisexu
duplicate
High
Code Injection via the _build_index() Function in the FastaDataset Class
williwollo
informative
Critical
Arbitrary File Write via Path Traversal
williwollo
informative
High
Arbitrary file write during tarfile extraction at file_utils
rook1337
informative
Critical
huntr: facebookresearch/fairseq