The Ludwig framework up to version 0.10.4 defaults to loading model weight files with torch.load() without the security‑restrictive weights_only=True flag. This oversight permits the deserialization of arbitrary Python objects via the pickle module, a classic insecure deserialization flaw (CWE‑502). An attacker who can supply a maliciously crafted PyTorch model file is able to execute arbitrary code on the machine that starts the Ludwig model server, compromising confidentiality, integrity, and availability of the entire host system.

The vulnerability impacts all installations of the Ludwig framework through version 0.10.4 when the serve command is used to start a model server. No specific vendor or product list is provided by the CNA, but anyone deploying Ludwig models with the default configuration of the serve component is at risk.

The vulnerability has no publicly published CVSS score or EPSS estimate, but the described flaw enables remote or local code execution depending on the attacker’s ability to introduce a malicious model file. Since the attack requires only that the server process load the file, an attacker with network or local access to the model serving endpoint could trigger the exploit. The vulnerability is not listed in the CISA KEV catalog, but its severity is high because arbitrary code execution can lead to complete system compromise. In the absence of a CVSS score, the risk assessment relies on the nature of insecure deserialization and the potential for full exploitation.