Skip to content

pickle.loads() on an HTTP response body (RCE if the endpoint is spoofed/MITM'd) #41

Description

@taskmasterpeace

Severity: Medium

backend/services/text_encoder/ltx_text_encoder.py (~L229): conditioning = pickle.loads(response.content).

The prompt-embedding response from https://api.ltx.video/v1/prompt-embedding is deserialized with pickle.loads. The base URL is hardcoded HTTPS to the vendor, so it isn't attacker-controllable in the normal case, but pickle over the wire means any compromise of that endpoint, a TLS-MITM, or DNS hijack yields arbitrary code execution on the user's machine (with the user's LTX API key already attached).

Fix

Don't transport tensors as pickle. Return safetensors/numpy/JSON and load via safetensors / numpy.load(allow_pickle=False). If the wire format can't change, use a restricted unpickler allowlisting only the expected tensor types.

Metadata

Metadata

Assignees

No one assigned

    Labels

    auditFiled from the July 2026 auditbackendPython FastAPI backendsecuritySecurity vulnerability or hardening

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions