Skip to content

[Security] Fix HIGH vulnerability: V-003 #17289

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Bobholamovic merged 3 commits into from
Dec 30, 2025
Merged

[Security] Fix HIGH vulnerability: V-003 #17289

Bobholamovic merged 3 commits into from
Dec 30, 2025
+5 −0

Conversation

@orbisai0security
Copy link
Contributor

@orbisai0security orbisai0security commented Dec 4, 2025

Security Fix

This PR addresses a HIGH severity vulnerability detected by our security scanner.

Security Impact Assessment

Aspect Rating Rationale
Impact High In PaddleOCR, exploiting this via MITM could allow attackers to tamper with downloaded OCR models, leading to poisoned models that produce incorrect or malicious text recognition results, potentially compromising applications like document processing or automated systems relying on accurate OCR output.
Likelihood Medium PaddleOCR is an open-source OCR tool often deployed in varied environments like servers or edge devices, where network traffic might occur over insecure connections; however, exploitation requires an attacker on the same network with motivation to intercept model downloads, which is not trivially common but feasible in public or enterprise networks.
Ease of Fix Easy Remediation involves updating the HTTP URLs to HTTPS in params.py, assuming the model servers support secure connections, requiring only a simple configuration change with minimal testing for download functionality.

Vulnerability Details

  • Rule ID: V-003
  • File: deploy/hubserving/ocr_system/params.py
  • Description: The application's default configuration specifies model download URLs using unencrypted http://. This allows an attacker on the same network to intercept and modify the model files as they are being downloaded.

Changes Made

This automated fix addresses the vulnerability by applying security best practices.

Files Modified

  • deploy/hubserving/ocr_system/params.py

Verification

This fix has been automatically verified through:

  • ✅ Build verification
  • ✅ Scanner re-scan
  • ✅ LLM code review

🤖 This PR was automatically generated.
@orbisai0security
fix: resolve high vulnerability V-003
abf6039 
Automatically generated security fix
@CLAassistant
Copy link

CLAassistant commented Dec 4, 2025
edited
Loading

CLA assistant check
All committers have signed the CLA.
@Bobholamovic
Copy link
Member

Bobholamovic commented Dec 4, 2025

Please sign the CLA
@paddle-bot
Copy link

paddle-bot bot commented Dec 4, 2025

Thanks for your contribution!
@Bobholamovic Bobholamovic merged commit ea3fbcc into PaddlePaddle:main Dec 30, 2025
4 checks passed
@mattheliu
Copy link
Contributor

mattheliu commented Jan 20, 2026

@orbisai0security Thanks for your contribution! You will receive a beautiful PaddlePaddle gift. Please provide your mailing address and phone number by filling out the following questionnaire before January 23th,2026.

Looking forward to the future, we will walk further together in the world of open source!
Click Here :https://paddle.wjx.cn/vm/wEUMTJJ.aspx#
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

contributor

5 participants

@orbisai0security @CLAassistant @Bobholamovic @mattheliu @luotao1