Vulnerability Details

CWE Type(s): CWE-78
Severity: HIGH
Team: PyTorch Compile

Location

• File: benchmarks/dynamo/common.py
• Lines: 3718-3726

Description

Command injection vulnerability through unvalidated sys.argv elements passed directly to subprocess calls. The code passes sys.argv elements to subprocess.check_call() without proper validation, potentially allowing argument injection if an attacker can control command-line arguments.

The vulnerable pattern constructs a command list using sys.argv without validation, which can enable injection attacks through argument confusion, flag injection, or specially crafted argument values.

Impact

• Argument injection via command-line parameters
• Unauthorized command execution during benchmark warmup
• Potential for malicious flags to be interpreted
• CI/CD pipeline compromise if attacker can control script arguments

Root Cause

Direct use of sys.argv without validation in subprocess calls. Even with list-based arguments (shell=False), unvalidated command-line parameters can enable various injection attacks.

Fix Status

MR Link: Not yet created
Fix Branch: N/A
Status: UNPATCHED

Related Exploit Files

• test_cwe78_dynamo_sysargv.py

Exploit Code Sample

# VULNERABLE: cmd = [sys.executable] + sys.argv
# subprocess.check_call(cmd)
# FIX: Validate sys.argv elements before use

Test Coverage

Test Results: Passed: 1, Failed: 2, Skipped: 0

References

• CWE Reference: https://cwe.mitre.org/data/definitions/78.html
• CVE Table: /pytorch_workspace/Security_related_files/Security_related_files/Command_Injection/Command_Injection_part_002/results/cve_analyzed_report.csv

Generated by CI Security Bot on 2026-01-31