CVE-2026-25873
Unauthenticated Remote Code Execution via Insecure Deserialization in OmniGen2-RL Reward Server
Publication date: 2026-03-18
Last updated on: 2026-03-18
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vectorspacelab | omnigen2 | From 3.0.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-25873 is a critical remote code execution vulnerability in the OmniGen2-RL reward server component. It arises from unsafe deserialization of untrusted data using Python's pickle module in HTTP POST request bodies. Because the server deserializes these requests without authentication or validation, an attacker can send maliciously crafted pickle payloads that execute arbitrary commands on the host system running the exposed service."}, {'type': 'paragraph', 'content': 'This vulnerability is due to the insecure use of pickle.loads() on untrusted input, classified under CWE-502 (Deserialization of Untrusted Data). The affected servers bind to all network interfaces by default, exposing them broadly. The vulnerability allows unauthenticated remote attackers to execute code with potentially root privileges, impacting confidentiality, integrity, and availability.'}] [1, 6]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized remote code execution on the affected server. An attacker can run arbitrary system commands, potentially gaining root-level access inside the server environment.
Because the reward server and its proxy bind to all network interfaces without authentication, attackers can exploit this vulnerability remotely over the network. This can lead to full compromise of the server, allowing attackers to manipulate or disrupt the reward evaluation process, access sensitive data, or use the server as a foothold for further attacks.
Additionally, the client-side components that deserialize server responses using pickle are also at risk, creating a bidirectional attack surface where a compromised server can execute code on training clients.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring network traffic for suspicious HTTP POST requests sent to the OmniGen2-RL reward server component, especially those containing serialized Python pickle data. Since the vulnerability involves unsafe deserialization of untrusted data via pickle.loads(), detection can focus on identifying unexpected or malicious pickle payloads in POST requests.'}, {'type': 'paragraph', 'content': 'Additionally, checking if the reward server or proxy server is listening on network interfaces (commonly ports 23456 for the proxy and 18888+ for backend workers) bound to 0.0.0.0 (all interfaces) can indicate exposure to unauthenticated remote attacks.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect the vulnerability or suspicious activity include:'}, {'type': 'list_item', 'content': "Use netstat or ss to check open ports and listening addresses: `netstat -tulnp | grep -E '23456|18888'` or `ss -tulnp | grep -E '23456|18888'`"}, {'type': 'list_item', 'content': 'Capture and inspect HTTP POST traffic to the reward server ports using tcpdump or tshark: `tcpdump -i any tcp port 23456 -w capture.pcap` and then analyze with Wireshark for suspicious pickle payloads.'}, {'type': 'list_item', 'content': 'Search server logs for unexpected or malformed POST requests, or for evidence of deserialization errors or execution of unexpected commands.'}, {'type': 'list_item', 'content': 'If you have access to the server, check the source code for usage of `pickle.loads()` on HTTP POST data, especially in `reward_proxy.py` and `reward_server.py` files at lines 118, 208, and 224.'}] [1, 6]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include preventing unauthenticated and unsafe deserialization of untrusted data by the reward server and proxy components.
Specifically:
- Restrict network exposure by binding the reward server and proxy server to localhost or internal trusted interfaces instead of 0.0.0.0, and use firewall rules to limit access.
- Implement authentication mechanisms such as requiring a shared secret in an Authorization header to prevent unauthorized access.
- Replace unsafe Python pickle deserialization (`pickle.loads()`) with safe serialization methods such as JSON combined with base64 encoding, as demonstrated in the patch that introduces a `safe_serialization.py` module.
- Apply the official patch (pull request #139) that removes all instances of `pickle.loads()` and `pickle.dumps()` in `reward_proxy.py` and `reward_server.py` and replaces them with safe serialization.
- Monitor for suspicious activity and consider temporarily disabling the vulnerable service until a patch is applied.