Impact
Any user who wants to load a saved GraphStorm model or optimizer status using GraphStorm framework and any user who wants to load a saved GraphStorm model and its corresponding optimizer status or generated node embeddings are impacted. If a malicious model or optimizer status or node embedding is loaded using GraphStorm framework, arbitrary functions packed inside the torch model can be executed and the attacker can use certain function to attack the instance running GraphStorm code.
Patches
GraphStorm v0.1 uses torch version 1.13.1, the GraphStorm design allows flexibility for users to select their own torch version. We recommend user to use torch 1.13+ and load any torch model with torch.load(weights_only=True). Graphstorm framework with torch 1.13+ uses torch.load(weights_only=True) to load model parameters. (Graphstorm still uses torch.load(weights_only=False) to load optimizer status due to compatibility problems, so if you really want to load optimizer status corresponding to a saved GraphStorm model, please only load trusted models.)
Workarounds
Do not load data which originated from an untrusted source, or that could have been tampered with. Only load data you trust.
References
torch.load WARNING
Impact
Any user who wants to load a saved GraphStorm model or optimizer status using GraphStorm framework and any user who wants to load a saved GraphStorm model and its corresponding optimizer status or generated node embeddings are impacted. If a malicious model or optimizer status or node embedding is loaded using GraphStorm framework, arbitrary functions packed inside the torch model can be executed and the attacker can use certain function to attack the instance running GraphStorm code.
Patches
GraphStorm v0.1 uses torch version 1.13.1, the GraphStorm design allows flexibility for users to select their own torch version. We recommend user to use torch 1.13+ and load any torch model with torch.load(weights_only=True). Graphstorm framework with torch 1.13+ uses torch.load(weights_only=True) to load model parameters. (Graphstorm still uses torch.load(weights_only=False) to load optimizer status due to compatibility problems, so if you really want to load optimizer status corresponding to a saved GraphStorm model, please only load trusted models.)
Workarounds
Do not load data which originated from an untrusted source, or that could have been tampered with. Only load data you trust.
References
torch.load WARNING