torch.load of single model file path in optimate neural_magic_training.pyMITRE service request: 1987825
Status: RESERVED (pending a qualifying public reference per CNA Rules §5.3).
The _load_model() function in the neural_magic_training.py script of the optimate project in commit a6d302f912b481c94370811af6b11402f51d377f (2024-07-21) is vulnerable to insecure deserialization (CWE-502). When a user provides a single model file path (e.g., .pt or .pth) via the –model command-line argument, the function loads the file using torch.load() without enabling the weights_only=True security parameter. This allows the deserialization of arbitrary Python objects through the Pickle module. A remote attacker can exploit this by providing a maliciously crafted model file, leading to arbitrary code execution during deserialization on the victim’s system.
Supplying --model /path/to/evil.pt hits the same insecure torch.load path: full pickle gadget execution on read. Attackers only need to convince the victim to download and point the CLI at a weaponized artifact.
a6d302f912b481c94370811af6b11402f51d377f..pt / .pth passed via -model.torch.load without weights_only=True.High for interactive researchers pulling third-party checkpoints.
torch.load.