The load_model function in the neural_magic_training.py script of the optimate project contains an insecure deserialization flaw (CWE-502). When loading a model’s state dictionary from a state_dict.pt file via torch.load(), the function does not enable the weights_only=True security parameter, allowing the deserialization of arbitrary Python objects through the Pickle module. This flaw enables a malicious actor to craft a state_dict.pt file that executes arbitrary code during loading, compromising the integrity, confidentiality, and availability of the system that runs the script.

The vulnerability affects the optimate project, specifically the neural_magic_training.py script in the commit a6d302f912b481c94370811af6b11402f51d377f (2024-07-21). Any deployment of optimate that loads model files via the --model argument and uses the default torch.load behavior is susceptible, regardless of the specific operating system or Python environment, because the insecure pickle deserialization is hardcoded into the script.

The flaw provides remote code execution with a likelihood of exploitation that cannot be precisely quantified due to the absence of EPSS data; however, the vulnerability is severe because it permits arbitrary code execution when an attacker supplies a malicious state_dict.pt file through the model path. The absence of a KEV listing means it has not yet been reported as a widely exploited vulnerability, but the inherent risk of remote code execution warrants immediate attention. The attack vector is inferred to be remote, as the attacker must provide the malicious file in the directory specified by the --model argument, which is then processed during normal script execution.