Remote Code Execution Risk through Client-Side Controlled Data #208
Description
Hello, I seem to have discovered a vulnerability in this project. The code corresponding to the vulnerability is located at delta = pickle.loads(request.data).(https://github.com/maxpumperla/elephas/blob/master/elephas/parameter/server.py#L118) The data value in the request request is directly deserialized, and data is all the content in the post. , which is controllable content on the client side. By transmitting malicious serialization code, arbitrary code can be remotely executed, so there is a deserialization vulnerability.