HIGH No Patch

Remote Code Execution via Deserialization of Untrusted Pickle Files in Hugging Face Models

Discovered 20 February 2025 1 views

Overview

A high-risk vulnerability pattern exists within the machine learning ecosystem concerning the loading of pre-trained models, particularly those distributed via the Hugging Face Hub. Many models, especially older ones or those from community contributors, are saved using Python's `pickle` serialization format (often with `.pkl` or `.bin` extensions for PyTorch models). The `pickle` module is known to be insecure against maliciously crafted data and can execute arbitrary code when deserializing a file. An attacker can create and upload a 'poisoned' model to the Hub, embedding a malicious payload within the model's serialized data. When a developer or an automated MLOps pipeline downloads and loads this model using standard library functions like `torch.load()` (which uses `pickle` under the hood) or a direct `pickle.load()` call, the embedded malicious code is executed on their machine. This can lead to remote code execution (RCE), allowing the attacker to steal sensitive data (API keys, proprietary code), install ransomware or cryptominers, or pivot within the victim's infrastructure. While Hugging Face has implemented security features like repository scanning and warnings, the fundamental risk remains if users do not explicitly use safer serialization formats. The introduction of the `safetensors` format was a direct response to mitigate this widespread threat.

Affected Systems

Hugging Face Transformers (all versions)PyTorch (all versions)Any application loading models from untrusted sources via pickle

Testing Guide

1. **Audit Model Loading Code**: Review your codebase for any calls to `pickle.load()`, `torch.load()`, `joblib.load()`, or similar functions that load files from model repositories. 2. **Check File Extensions**: Be suspicious of models primarily distributed with `.pkl` or `.bin` files without a corresponding `.safetensors` version. 3. **Use a Pickle Scanner**: Run a tool like `picklescan` against model files before loading them to detect potential embedded malicious code: `picklescan -p /path/to/model.pkl`.

Mitigation Steps

1. **Use SafeTensors**: Prioritize loading models in the `.safetensors` format. When using `from_pretrained`, this is often handled automatically if the safe version is available. Explicitly pass `use_safetensors=True` where possible. 2. **Scan Models**: Before loading any model from an untrusted source, use security scanning tools to check for malicious code within pickle files. 3. **Disable Pickle**: In PyTorch, you can use `torch.load(..., weights_only=True)` for checkpoints, which is safer as it prevents unpickling of arbitrary objects. 4. **Sandbox Model Loading**: If you must load a pickled model from an untrusted source, do so in a heavily restricted and isolated sandbox environment with no network access or access to sensitive files.

Patch Details

This is a vulnerability pattern, not a specific library flaw. Mitigation relies on user awareness and adopting safer formats like SafeTensors.

Sources

← Back to vulnerabilities