CVE-2025-5148

FunAudioLLM InspireMusic Pickle Data model.py load_state_dict deserialization

Description

A vulnerability was found in FunAudioLLM InspireMusic up to bf32364bcb0d136497ca69f9db622e9216b029dd. It has been classified as critical. Affected is the function load_state_dict of the file inspiremusic/cli/model.py of the component Pickle Data Handler. The manipulation leads to deserialization. An attack has to be approached locally. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The name of the patch is 784cbf8dde2cf1456ff808aeba23177e1810e7a9. It is recommended to apply a patch to fix this issue.

References

Link	Tags
https://vuldb.com/?id.310236	technical description vdb entry
https://vuldb.com/?ctiid.310236	signature permissions required
https://vuldb.com/?submit.573800	third party advisory
https://github.com/FunAudioLLM/InspireMusic/issues/53	issue tracking
https://github.com/FunAudioLLM/InspireMusic/issues/53#issuecomment-2866688220	issue tracking
https://github.com/FunAudioLLM/InspireMusic/commit/784cbf8dde2cf1456ff808aeba23177e1810e7a9	patch

Frequently Asked Questions

What is the severity of CVE-2025-5148?: CVE-2025-5148 has been scored as a medium severity vulnerability.
How to fix CVE-2025-5148?: To fix CVE-2025-5148, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-5148 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2025-5148 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-5148?: CVE-2025-5148 affects FunAudioLLM InspireMusic.

Description

Category

CWE-20 – Improper Input Validation

References

Frequently Asked Questions