OpenMed before 1.5.2 contains a remote code execution vulnerability in the PII privacy-filter model loading path. The privacy-filter dispatcher used broad subst…

OpenMed versions before 1.5.2 contain a critical remote code execution vulnerability in the PII privacy-filter model loading functionality. The vulnerability stems from improper substring matching in the privacy-filter dispatcher that processes user-supplied model_name parameters. Attackers can exploit this by crafting malicious model names like 'attacker/foo-privacy-filter-bar' to bypass security controls. This allows loading of Hugging Face models with trust_remote_code=True, enabling execution of arbitrary code. Unauthenticated attackers can supply malicious model repositories containing custom Transformers code via auto_map configurations in config.json or tokenizer_config.json files. The malicious code executes with the full privileges of the OpenMed service process, making this a critical security issue.