Insecure Custom Deserialization in intel/neural-compressor Leading to Arbitrary Code Execution
The UnpicklerWrapper class in neural_compressor/torch/algorithms/layer_wise/load.py (L90–L160) overrides find_class() but unconditionally falls back to super().find_class(), allowing arbitrary class resolution during pickle deserialization. A malicious .pt checkpoint embedding a crafted reduce payload triggers OS-level code execution when passed to load(). CVSS v3.1: 9.8 Critical (CWE-502).
neural_compressor_vuln_report.pdf
Insecure Custom Deserialization in intel/neural-compressor Leading to Arbitrary Code Execution
The UnpicklerWrapper class in neural_compressor/torch/algorithms/layer_wise/load.py (L90–L160) overrides find_class() but unconditionally falls back to super().find_class(), allowing arbitrary class resolution during pickle deserialization. A malicious .pt checkpoint embedding a crafted reduce payload triggers OS-level code execution when passed to load(). CVSS v3.1: 9.8 Critical (CWE-502).
neural_compressor_vuln_report.pdf