Description
SDV uses cloudpickle as its serialization mechanism when saving and loading models. cloudpickle.load() shares the same underlying deserialization protocol as Python's standard pickle.load(), executing arbitrary Python code when processing untrusted data. An attacker need only craft a malicious .pkl file; when a user calls the API to load it, the payload executes immediately during deserialization with no further interaction required.
Locations
| File |
Line |
Context |
sdv/single_table/base.py |
764 |
cloudpickle.load() in BaseSingleTableSynthesizer.load() |
Suggested Fix
- Consider using secure formats such as safetensors as an alternative to pickle.
- Use digital signatures to verify the integrity of model files.
Impact
An attacker need only craft a malicious .pkl file; when a user calls the API to load it, the payload executes immediately during deserialization with no further interaction required.
Description
SDV uses cloudpickle as its serialization mechanism when saving and loading models. cloudpickle.load() shares the same underlying deserialization protocol as Python's standard pickle.load(), executing arbitrary Python code when processing untrusted data. An attacker need only craft a malicious .pkl file; when a user calls the API to load it, the payload executes immediately during deserialization with no further interaction required.
Locations
sdv/single_table/base.pycloudpickle.load()inBaseSingleTableSynthesizer.load()Suggested Fix
Impact
An attacker need only craft a malicious .pkl file; when a user calls the API to load it, the payload executes immediately during deserialization with no further interaction required.