Potential Code Injection Vulnerability

Kedreamix / Linly-Talker

Digital Avatar Conversational System - Linly-Talker. 😄✨ Linly-Talker is an intelligent AI system that combines large language models (LLMs) with visual models to create a novel human-AI interaction method. 🤝🤖 It integrates various technologies like Whisper, Linly, Microsoft Speech Services, and SadTalker talking head generation system. 🌟🔬

https://kedreamix.github.io/

MIT License

1.27k stars 223 forks source link

Potential Code Injection Vulnerability #37

Open nevercodecorrect opened 1 month ago

nevercodecorrect commented 1 month ago

Code injection could happen via environment variable. In code here, it directly eval the value from environment variable. A malicous local actor could set something like export is_half='os.system("touch rickroll")' to execute arbitrary commands. It would be better to use ast.literal_eval here. For ref, this issue is similar to CVE-2022-2054.

Kedreamix commented 1 month ago

Thank you for bringing this to my attention and for highlighting the potential security risk. I will try!!!