Arbitrary Code Execution via Maliciously Crafted `pytorch_model.bin` on Hugging Face Hub
Overview
A critical supply chain vulnerability stems from the use of Python's `pickle` serialization format in PyTorch model files (`pytorch_model.bin`). The `torch.load()` function, commonly used to load these files, deserializes pickle data, which is not secure against maliciously constructed data. An attacker can craft a `pytorch_model.bin` file containing a pickled payload that executes arbitrary code when the file is loaded. The attacker then uploads this poisoned model to a public registry like the Hugging Face Hub, often disguising it as a legitimate or fine-tuned version of a popular model. When an unsuspecting developer or automated MLOps pipeline downloads and loads the model using standard library calls like `AutoModel.from_pretrained('attacker/poisoned-model')`, the malicious code executes on their machine with the user's permissions. This can be used to steal credentials (e.g., AWS keys, SSH keys), install persistent backdoors, or use the victim's compute resources for cryptocurrency mining. This attack vector is particularly insidious as it exploits the trust inherent in the open-source AI community and the standard tooling used for model sharing. The widespread adoption of the `safetensors` format is a direct response to this fundamental security flaw.
Affected Systems
Testing Guide
To assess your risk: 1. **Check your code**: Audit your projects for calls to `from_pretrained()` or `torch.load()` that may be loading models from untrusted sources. 2. **Inspect model files**: Before loading a new model, inspect its files on the Hugging Face Hub. If it only contains a `pytorch_model.bin` file and not a `model.safetensors` file, it carries a higher risk. Prefer models that provide a `.safetensors` version. 3. **Use safety checks**: When loading a model with `transformers`, you can pass a `trust_remote_code=False` flag (which is the default) to prevent the execution of custom code defined in the model's repository.
Mitigation Steps
1. **Prioritize `safetensors`**: Exclusively use the `.safetensors` format for loading models. This format is designed for safety and does not have code execution capabilities. Set `use_safetensors=True` where possible. 2. **Scan Models**: Use security tools like Hugging Face's built-in malware scanner or third-party tools to scan models for malicious code before loading. 3. **Vet Sources**: Only use models from trusted, verified organizations and publishers on the Hub. Be suspicious of newly created accounts or models with little community engagement. 4. **Sandbox Execution**: When experimenting with untrusted models, load and run them in a sandboxed, isolated environment (e.g., a Docker container with no network access) to contain any potential threats.
Patch Details
This is an ecosystem-wide risk. While PyTorch's `pickle` behavior is by design, the community has mitigated it by creating and promoting the `safetensors` format. Modern Hugging Face libraries prioritize loading `.safetensors` files and provide warnings.