MITRE service request: 1988584
Status: RESERVED (pending a qualifying public reference per CNA Rules §5.3).
Horovod thru 0.28.1 contains an insecure deserialization vulnerability (CWE-502) in its KVStore HTTP server component. The KVStore server, used for distributed task coordination, lacks authentication and authorization controls, allowing any remote attacker to write arbitrary data via HTTP PUT requests. When a Horovod worker reads data from the KVStore (via HTTP GET), it deserializes the data using cloudpickle.loads() without verifying its source or integrity. An attacker can exploit this by sending a malicious pickle payload to the server before the legitimate data is written, causing the victim worker to deserialize and execute arbitrary code, leading to remote code execution.
The coordination KVStore accepts anonymous HTTP PUTs. An attacker races to store a malicious cloudpickle blob before legitimate trainers publish their payload; workers that GET + cloudpickle.loads inherit arbitrary code execution.
092e5f5064f5211e036a165bba19d2bb64721ea2)./runfunc/func style endpoints on KVStore host/port visible on cluster network.cloudpickle.loads on retrieved bytes without HMAC or TLS client auth.Critical inside flat Kubernetes / VPC training networks.