OpenMed before 1.5.2 ships a remote code execution flaw (CVSS 9.8) in its PII privacy-filter, where a sloppy substring match lets an unauthenticated attacker steer model loads to a malicious Hugging Face repo that executes arbitrary Python under the service account.
What Is It
A critical remote code execution vulnerability (CWE-94, Code Injection) in OpenMed's PII privacy-filter model loading path. The dispatcher performed broad substring matching on the user-supplied model_name parameter, so a value shaped like attacker/foo-privacy-filter-bar gets routed through a code path that loads Hugging Face models with trust_remote_code=True. An attacker hosts a model repo with custom Transformers code wired up via auto_map in config.json or tokenizer_config.json, OpenMed imports and runs that code on the server.
Why It Matters
The CVSS 4.0 score is 9.3 and CVSS 3.1 is 9.8 (CRITICAL). The attack vector is network, complexity is low, no privileges are required, and no user interaction is needed. Successful exploitation yields full confidentiality, integrity, and availability impact; effectively arbitrary code execution as the OpenMed service process. Because the PII privacy-filter is a routine inference call, any deployment exposing this endpoint to untrusted input (multi-tenant SaaS, internet-reachable inference servers, healthcare-data pipelines) is directly reachable for pre-auth RCE.
This entry is not currently listed in CISA's KEV catalog, so no in-the-wild exploitation has been confirmed by CISA at time of writing.
What's Vulnerable
- Product: OpenMed (maziyarpanahi/openmed)
- Affected versions: all releases prior to 1.5.2
- Vulnerable component: PII privacy-filter dispatcher / model loading path
- Root cause: substring-based routing of
model_nameinto a loader invoked withtrust_remote_code=True - Weakness: CWE-94 (Improper Control of Generation of Code)
Patch Status
Fixed in OpenMed v1.5.2. The upstream patch (commit 98724f6, PR #59) tightens the privacy-filter dispatcher so attacker-controlled model_name values cannot reach the trust_remote_code=True path. Required action: upgrade to v1.5.2 or later. Operators who cannot upgrade immediately should block untrusted callers from supplying model_name and avoid loading any Hugging Face repository that is not explicitly allow-listed.