CRITICAL Patch Available

Remote Code Execution in Hugging Face Hub via Malicious Pickled Models

Discovered 21 July 2025 5 views

Overview

A widespread supply chain vulnerability was highlighted affecting developers who download pre-trained models from public repositories like the Hugging Face Hub. The root cause is the use of Python's `pickle` serialization format for saving and loading model weights and architectures in popular frameworks like PyTorch (`torch.load`) and TensorFlow. The pickle format is inherently insecure because deserializing a pickle file can execute arbitrary code. An attacker can craft a malicious model file, embedding a payload within the pickled data. They then upload this model to a public hub, often with a deceptive name or description. When an unsuspecting developer or MLOps pipeline downloads and loads this model, the `unpickling` process triggers the embedded code execution on their machine. This RCE can be used to steal environment variables (containing API keys for AWS, OpenAI, etc.), SSH keys, or install persistent malware. The attack surface is large, as `pickle` was the default serialization format for years. While Hugging Face has implemented security scans and promotes the safer `safetensors` format, legacy models and workflows remain vulnerable. This incident underscores the critical need to treat model weights as untrusted, executable code.

Affected Systems

PyTorchTensorFlowHugging Face TransformersAny application loading `.pkl` or `.pt` files from untrusted sources

Testing Guide

1. **Do not use a real malicious file.** Create a safe test pickle file that performs a harmless action. In Python: `import pickle; import os; class RCE: def __reduce__(self): return (os.system, ('echo "VULNERABLE: Code executed from pickle"',)); pickled_data = pickle.dumps(RCE()); f = open('safe_test_model.pkl', 'wb'); f.write(pickled_data); f.close()` 2. In a separate script, attempt to load the file: `import pickle; f = open('safe_test_model.pkl', 'rb'); data = pickle.load(f);` 3. If the message `VULNERABLE: Code executed from pickle` is printed to your console, your loading process is susceptible to this attack.

Mitigation Steps

1. **Use the `safetensors` Format**: Prefer loading and saving models using the `safetensors` format (`.safetensors` extension). It is a secure alternative that does not allow for arbitrary code execution. 2. **Scan Models Before Loading**: Use tools like `picklescan` to scan model files for suspicious opcodes before deserializing them. 3. **Isolate Model Loading**: Load untrusted models in a sandboxed, network-isolated environment (e.g., a minimal Docker container) to limit the potential impact of a compromise. 4. **Verify Model Provenance**: Only use models from highly trusted and verified creators on platforms like Hugging Face. Check for security scans and community feedback. 5. **Set `torch.load` to a Restricted Mode**: If using PyTorch, investigate using arguments that restrict what can be unpickled, although this is not a complete solution.

Patch Details

The patch is not in the frameworks themselves, but in the ecosystem's adoption of the `safetensors` format and security scanning tools provided by Hugging Face.

Sources

← Back to vulnerabilities