# OpenVINO Code Injection via exec() PoC — EXEC-VULN-01

## Vulnerability

Code injection in the PyTorch frontend at `src/bindings/python/src/openvino/frontend/pytorch/utils.py:204`.

Model `forward()` parameter names are interpolated into a Python class template and passed to `exec()` without sanitization.

## PoC

`poc_exec_injection.py` creates a PyTorch model with a crafted `forward()` parameter name containing Python code. When `openvino.convert_model()` processes this model, the parameter name is interpolated into the template string and `exec()` runs the injected code.

## Reproduction

```bash
pip install torch openvino
python poc_exec_injection.py
# Creates malicious_model.pt

python -c "
import torch, openvino as ov
model = torch.load('malicious_model.pt')
ov.convert_model(model)
# Injected code executes: id > /tmp/openvino-rce-proof.txt
"
cat /tmp/openvino-rce-proof.txt
# Shows: uid=... output from injected command
```

## Impact

Arbitrary code execution when converting a malicious PyTorch model via `openvino.convert_model()`. Supply chain attack via models published to HuggingFace or shared internally.

## CWE

CWE-94 (Improper Control of Generation of Code)

## CVSS

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H — 8.1