Arbitrary Code Execution via Deserialization of Untrusted PyTorch Model Weights
Overview
A pervasive supply chain vulnerability exists within the machine learning ecosystem due to the insecure default behavior of `torch.load()`, a core function in the PyTorch library for loading saved model files (`.pt`, `.pth`, `.bin`). This function internally relies on Python's `pickle` module, which is known to be insecure for deserializing untrusted data. An attacker can craft a malicious model file containing an embedded Python pickle payload. This file can then be uploaded to a public model repository like the Hugging Face Hub, disguised as a legitimate pre-trained model. When a researcher or developer downloads this file and loads it using `torch.load()`, the malicious payload is executed on their machine with the permissions of the running user. This can lead to remote code execution (RCE), data theft, or the installation of persistent backdoors. This attack vector is particularly dangerous because sharing and downloading model weights is a standard and encouraged practice in the AI community. While the `safetensors` format was developed as a secure alternative, the legacy `.bin` format and the use of `torch.load()` without security precautions remain widespread. This vulnerability underscores the critical need for verifying the provenance of all AI artifacts and treating model weights as potentially executable code.
Affected Systems
Testing Guide
1. **Check Model Loading Code**: Audit your codebase for any calls to `torch.load(file)`. 2. **Verify `weights_only` Parameter**: Ensure that all `torch.load()` calls are made with the `weights_only=True` argument. 3. **Scan Existing Models**: Download and run a model scanner like `picklescan` against your local directory of saved model weights: `picklescan --path /path/to/your/models`. Any findings indicate a potentially malicious model.
Mitigation Steps
1. **Use `safetensors`**: Whenever possible, exclusively use models stored in the `safetensors` format, which does not have arbitrary code execution capabilities. 2. **Load Weights Only**: When using `torch.load()`, set the `weights_only=True` parameter (available in recent PyTorch versions). This will raise an error if the file contains anything other than tensors. 3. **Scan Models**: Use model scanning tools like `picklescan` to inspect model files for suspicious pickle payloads before loading them. 4. **Verify Provenance**: Only download and use models from trusted, verified creators on platforms like Hugging Face. Check for signs of repository tampering or suspicious activity.
Patch Details
This is an insecure design pattern. PyTorch 1.13+ introduced the `weights_only` parameter as a mitigation.