Hugging Face's logo

willardj
/
openvino-exec-poc

Model card Files
xet
 Community
openvino-exec-poc / README.md
willardj's picture
willardj
Upload folder using huggingface_hub
b74e696 verified
preview code
|
raw
history blame contribute delete
1.26 kB

OpenVINO Code Injection via exec() PoC — EXEC-VULN-01

Vulnerability

Code injection in the PyTorch frontend at src/bindings/python/src/openvino/frontend/pytorch/utils.py:204.

Model forward() parameter names are interpolated into a Python class template and passed to exec() without sanitization.

PoC

poc_exec_injection.py creates a PyTorch model with a crafted forward() parameter name containing Python code. When openvino.convert_model() processes this model, the parameter name is interpolated into the template string and exec() runs the injected code.

Reproduction 

pip install torch openvino
python poc_exec_injection.py
# Creates malicious_model.pt

python -c "
import torch, openvino as ov
model = torch.load('malicious_model.pt')
ov.convert_model(model)
# Injected code executes: id > /tmp/openvino-rce-proof.txt
"
cat /tmp/openvino-rce-proof.txt
# Shows: uid=... output from injected command

Impact

Arbitrary code execution when converting a malicious PyTorch model via openvino.convert_model(). Supply chain attack via models published to HuggingFace or shared internally.

CWE

CWE-94 (Improper Control of Generation of Code)

CVSS

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H — 8.1