CRITICAL No Patch

Malicious Code Execution via Unsafe `pickle` Deserialization in Hugging Face Models

Discovered 20 September 2025 13 views

Overview

A critical supply chain vulnerability was demonstrated affecting the broader machine learning ecosystem, particularly models shared on public hubs like Hugging Face. The vulnerability exploits the unsafe deserialization of model files that use Python's `pickle` format, such as older PyTorch (`.pt`, `.pth`) and scikit-learn (`.pkl`) models. Attackers can craft a malicious model file where the pickled data contains arbitrary Python bytecode. When an unsuspecting developer or MLOps pipeline downloads and loads this model using standard functions like `torch.load()`, the embedded bytecode is executed. This provides the attacker with remote code execution capabilities on the victim's machine. This 'Sleeper Agent' style attack is particularly insidious because the malicious payload is hidden within the model's tensor data and is not easily detectable by static analysis or antivirus tools. The impact is devastating, as it allows attackers to compromise development environments, poison training data, steal proprietary models and data, or pivot to attack production infrastructure. This discovery accelerated the community-wide adoption of safer model serialization formats like `safetensors`, which strictly prohibits code execution and only allows for the storage of tensor data.

Affected Systems

PyTorchTensorFlow (via Keras .h5)scikit-learnAny application loading models from untrusted sources using pickle

Testing Guide

1. **Check Model Format**: Identify all models in your workflows that are stored in `.pkl`, `.pt`, `.pth`, or `.bin` (for older PyTorch) formats. 2. **Use a Scanning Tool**: Run a tool like `picklescan` on your model files: `picklescan --path /path/to/your/models`. 3. **Review Scanner Output**: The tool will report any files that contain potentially dangerous opcodes. Any positive finding indicates a high risk. 4. **Check Code**: Audit your codebase for any instances of `torch.load(f)` or `pickle.load(f)` without appropriate safety parameters (`weights_only=True`).

Mitigation Steps

1. **Use `safetensors`**: Prioritize loading models exclusively in the `.safetensors` format. Many models on Hugging Face now provide this option. 2. **Scan Models**: Before loading any model, use scanning tools like `picklescan` to check for malicious payloads in `pickle`-formatted files. 3. **Disable Arbitrary Code in Loaders**: When loading PyTorch models, use `torch.load(file, weights_only=True)` whenever possible to prevent the loading of anything other than tensor data. This feature was added in PyTorch 1.13. 4. **Distrust Public Models**: Treat all models from public repositories as untrusted code. Only use models from verified creators or organizations with a strong security posture. 5. **Isolate Loading Process**: Load new models for the first time in a sandboxed, network-isolated environment to contain any potential malicious activity.

Patch Details

This is a fundamental risk with the pickle format. The mitigation is to migrate to safer formats like safetensors.

Sources

← Back to vulnerabilities