Optimate Arbitrary Code Execution Vulnerability in Neural Magic Training Script

A vulnerability allowing arbitrary code execution has been identified in the Optimate project, specifically within the neural_magic_training.py script. This issue arises from the _load_model() function, which, in commit a6d302f912b481c94370811af6b11402f51d377f, allows users to execute arbitrary Python code by supplying a directory path through the --model command-line argument. The function reads a module.py file from the specified directory and executes its contents using Python's exec() function. This implementation lacks proper validation or sanitization of the file's content, enabling an attacker to execute malicious code in the context of the process running the script.

Impact

Exploitation of this vulnerability could lead to unauthorized execution of arbitrary Python code, potentially allowing an attacker to manipulate the application or system where the script is running.