[Security Issue] Remote Code Execution by torch.load Deserialization via ref_server_regroup.py /bytes_to_tensor() in lsdefine/simple_GRPO

[Chenpinji]

Description

The simple_GRPO implements a server (ref_server_regroup.py). For POST requests to the /upload path, it reads the data from request.body and passes the second part of the list to bytes_to_tensor. Since bytes_to_tensor directly uses torch.load() to process untrusted network data without enforcing the safe parameter weights_only=True, if the server is running on a Torch version below 2.6, it is directly exposed to the risk of remote arbitrary code execution.

Impact

Remote code execution in the victim's machine over network. Once the victim starts the ref_server_regroup, an attacker on the network can gain arbitrary code execution by sending POST to /upload with malicious dumped data.

Mitigation

enable weights_only=True or indicate the torch version >= 2.6 in the requirements.txt