-
Bug
-
Resolution: Duplicate
-
Undefined
-
None
-
None
-
False
-
-
False
-
-
Vulnerability Details
CWE Type(s): CWE-78
Severity: MEDIUM
Team: PyTorch Compile
Location
- File: torch/_inductor/compiler_bisector.py
- Lines: 702
Description
Command Injection via unvalidated run_cmd from sys.argv
run_cmd constructed from sys.argv[2:] without validation before passing to subprocess.run
Impact
run_cmd constructed from sys.argv[2:] without validation before passing to subprocess.run. While sys.argv is a list (safer than strings), the lack of validation could allow empty commands or unexpected command structures that could cause security issues or denial of service.
Root Cause
run_cmd constructed from sys.argv[2:] without validation before passing to subprocess.run
Fix Status
MR Link: https://gitlab.com/redhat/rhel-ai/team-pytorch/pytorch/-/merge_requests/167
Fix Branch: security-fix-cwe78-compiler-bisector
Status: IMPLEMENTED
Related Exploit Files
- test_command_injection_compiler_bisector_subprocess.py
Exploit Code Sample
# Security regression test that validates the fix # Test file: test_command_injection_compiler_bisector_subprocess.py # The test verifies: # 1. Proper input validation # 2. Safe subprocess execution # 3. Protection against command injection attacks
References
- CWE Reference: https://cwe.mitre.org/data/definitions/78.html
- CVE Table: /pytorch_workspace/Security_related_files/Security_related_files/Command_Injection/Command_Injection_part_004/results/cve_analyzed_report.csv
Generated by CI Security Bot on 2026-02-03