Skip to content

Fix CVE-2026-5843: gate model_file execution behind trust_remote_code#1385

Merged
angeloskath merged 3 commits into
ml-explore:mainfrom
dogukanveziroglu:fix/model-file-opt-in
Jun 11, 2026
Merged

Fix CVE-2026-5843: gate model_file execution behind trust_remote_code#1385
angeloskath merged 3 commits into
ml-explore:mainfrom
dogukanveziroglu:fix/model-file-opt-in

Conversation

@dogukanveziroglu

@dogukanveziroglu dogukanveziroglu commented Jun 9, 2026

Copy link
Copy Markdown
Contributor

If a model's config.json has a model_file key, load_model imports and runs
that Python file straight from the model directory (added in #830). It happens
on a plain load() with no way to turn it off, so loading a model can execute
arbitrary code. This is CVE-2026-5843 / GHSA-9m9w-53g9-47c4: it was reported
against Docker Model Runner, which embeds mlx-lm, but the root cause is here in
the library and main is still unguarded. The tokenizer path already puts custom
code behind trust_remote_code, so this does the same for model_file.

load_model now takes trust_remote_code (default False) and raises with a
clear message if a config wants a model_file without it. Setting
MLX_LM_TRUST_REMOTE_CODE=1 works too for the CLI tools. The flag is threaded
through load() and sharded_load(), and models without a model_file are
unchanged.

Tests cover the four cases: blocked by default with the custom file never
executed, enabled by the argument, enabled by the env var, and a normal model
still loading.ed

@dogukanveziroglu
fix(utils): make custom model_file loading opt-in via trust_remote_code
003da2e 
Loading a model whose config.json contains a model_file key used to
import and execute that Python file from the model directory
unconditionally on any load(). Gate it behind an explicit opt-in,
mirroring the tokenizer's trust_remote_code convention:

- load_model: add trust_remote_code (default False) and raise an
  actionable ValueError when a config requests model_file without it
- honor the MLX_LM_TRUST_REMOTE_CODE env var (1/true/yes)
- thread the flag through load() and sharded_load()
- add tests: blocked by default with no side effects, enabled via
  flag, enabled via env var, normal models unaffected
@dogukanveziroglu dogukanveziroglu mentioned this pull request Jun 9, 2026
Closed
@kingroryg

kingroryg commented Jun 9, 2026

Copy link
Copy Markdown

Worth flagging though that it's an mlx-lm only change and only covers the model_file import path. It does not address vulnerabilities in the mlx core loaders themselves (https://github.com/ml-explore/mlx/security/advisories/GHSA-mxqr-6xw9-3x8j) e.g., parser bugs reachable from mx.load(...) on an untrusted file, where trust_remote_code never enters the picture.

@dogukanveziroglu

dogukanveziroglu commented Jun 9, 2026

Copy link
Copy Markdown
Contributor Author

Worth flagging though that it's an mlx-lm only change and only covers the model_file import path. It does not address vulnerabilities in the mlx core loaders themselves (https://github.com/ml-explore/mlx/security/advisories/GHSA-mxqr-6xw9-3x8j) e.g., parser bugs reachable from mx.load(...) on an untrusted file, where trust_remote_code never enters the picture.

Yeah, this one's just the model_file path (CVE-2026-5843). The heap overflow in the core loaders is a separate bug and trust_remote_code won't help there. Can't see the advisory tho, happy to help if you can add me.

angeloskath
angeloskath approved these changes Jun 11, 2026
View reviewed changes

@angeloskath angeloskath left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! I removed the env var and added the argument everywhere. Also added it to all scripts and is now shared with the hf tokenizer when passed in the scripts.

@angeloskath angeloskath merged commit bfa25a1 into ml-explore:main Jun 11, 2026
2 checks passed
@dogukanveziroglu dogukanveziroglu deleted the fix/model-file-opt-in branch June 11, 2026 18:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@angeloskath angeloskath angeloskath approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dogukanveziroglu @kingroryg @angeloskath