OpenMed before 1.5.2 contains a remote code execution vulnerability in the PII privacy-filter model loading path. The privacy-filter dispatcher used broad subst…

OpenMed versions before 1.5.2 contain a critical remote code execution vulnerability in the PII privacy-filter model loading path. The vulnerability stems from broad substring matching on user-supplied model_name parameters, allowing attackers to route through paths that load Hugging Face models with trust_remote_code=True. Unauthenticated attackers can exploit this by supplying malicious model repositories containing custom Transformers code via auto_map in configuration files. The malicious code is then imported and executed with the privileges of the OpenMed service process. This represents a significant security risk as it allows complete compromise of the OpenMed service without authentication requirements.