CVE-2026-31229
CriticalSummary
The Adversarial Robustness Toolbox (ART) up to version 1.20.1 contains an insecure deserialization vulnerability in the Kubeflow component's model loading functionality. The use of torch.load() without the weights_only=True parameter allows for the deserialization of arbitrary Python objects, potentially leading to remote code execution.
Risk Assessment
An attacker can exploit this vulnerability by uploading a maliciously crafted model file to an object storage location, leading to remote code execution. This poses a significant security risk to the system.
Recommendation
It is recommended to update the Adversarial Robustness Toolbox to the latest version and implement additional safeguards when loading models, such as using the weights_only=True parameter in the torch.load() function.
Original NVD description (English source)
The Adversarial Robustness Toolbox (ART) thru 1.20.1 contains an insecure deserialization vulnerability (CWE-502) in its Kubeflow component's model loading functionality. When loading model weights from a file (e.g., model.pt) during robustness evaluation, the code uses torch.load() without the security-restrictive weights_only=True parameter. This allows the deserialization of arbitrary Python objects via the Pickle module. An attacker can exploit this by uploading a maliciously crafted model file to an object storage location referenced by the pipeline, or by controlling the model_id parameter to point to such a file. When the pipeline loads the model, the malicious payload is executed, leading to remote code execution.

