Severity: Medium
backend/services/text_encoder/ltx_text_encoder.py (~L229): conditioning = pickle.loads(response.content).
The prompt-embedding response from https://api.ltx.video/v1/prompt-embedding is deserialized with pickle.loads. The base URL is hardcoded HTTPS to the vendor, so it isn't attacker-controllable in the normal case, but pickle over the wire means any compromise of that endpoint, a TLS-MITM, or DNS hijack yields arbitrary code execution on the user's machine (with the user's LTX API key already attached).
Fix
Don't transport tensors as pickle. Return safetensors/numpy/JSON and load via safetensors / numpy.load(allow_pickle=False). If the wire format can't change, use a restricted unpickler allowlisting only the expected tensor types.
Severity: Medium
backend/services/text_encoder/ltx_text_encoder.py(~L229):conditioning = pickle.loads(response.content).The prompt-embedding response from
https://api.ltx.video/v1/prompt-embeddingis deserialized withpickle.loads. The base URL is hardcoded HTTPS to the vendor, so it isn't attacker-controllable in the normal case, but pickle over the wire means any compromise of that endpoint, a TLS-MITM, or DNS hijack yields arbitrary code execution on the user's machine (with the user's LTX API key already attached).Fix
Don't transport tensors as pickle. Return safetensors/numpy/JSON and load via
safetensors/numpy.load(allow_pickle=False). If the wire format can't change, use a restricted unpickler allowlisting only the expected tensor types.