CRITICAL Patch Available

Remote Code Execution via Insecure `pickle` Deserialization in Community-Uploaded Hugging Face Models

Discovered 28 November 2025 6 views

Overview

A critical vulnerability class was highlighted affecting applications that load community-provided models from the Hugging Face Hub. The vulnerability stems from the use of Python's `pickle` serialization format in older model artifacts, typically files with `.bin` or `.pkl` extensions. The `pickle` module is known to be insecure and can execute arbitrary code when deserializing a maliciously crafted object. An attacker can create a custom Python class with a `__reduce__` method that, when unpickled, executes an OS command. They can then embed an instance of this class within a model's weights file and upload it to the Hub, disguised as a legitimate model. When an unsuspecting developer or automated ML pipeline downloads and loads this model using standard library functions like `torch.load()` (which uses `pickle` internally), the malicious code is executed on their machine with the full permissions of the running process. This can lead to remote code execution (RCE), allowing the attacker to steal data, install malware, or pivot within the victim's network. This issue prompted a wider community move towards safer serialization formats like `safetensors`, which only allows the loading of simple data tensors and prohibits arbitrary code execution, but many legacy models and loading scripts remain vulnerable.

Affected Systems

Hugging Face Transformers (when loading untrusted pickle-based models)PyTorch (torch.load)Any application loading `.pkl` or `.bin` model files from untrusted sources

Testing Guide

1. **Inspect Model Files:** Before loading a model from the Hub, inspect the 'Files and versions' tab. If it primarily contains `.bin` files instead of `.safetensors`, it carries a higher risk. 2. **Use a Model Scanner:** Run a scanner on the downloaded model repository before loading it: ```bash # Example using a conceptual CLI tool hf-scan --repo-id user/risky-model ``` The scanner should flag the presence of pickle files or imports. 3. **Safe Loading Attempt:** Try to load the model with `safetensors` exclusively. If it fails, the model relies on the older, unsafe format. Do not proceed unless you can validate its safety.

Mitigation Steps

1. **Use `safetensors`:** Prioritize loading models exclusively in the `.safetensors` format. This is the default for most modern models on the Hugging Face Hub. 2. **Scan Models Before Loading:** Use model scanning tools like Hugging Face's built-in malware scanner or external tools to check for unsafe modules like `pickle` before loading any model files. 3. **Explicitly Trust Remote Code:** When using `from_pretrained()`, set `trust_remote_code=False` unless you have thoroughly audited the model's source code. This prevents the execution of custom code shipped with the model. 4. **Load in a Sandbox:** If you must use a legacy pickle-based model from an untrusted source, load it within a heavily restricted, sandboxed environment (e.g., a minimal Docker container with no network access or sensitive mounts) to limit the impact of potential code execution.

Patch Details

This is a design-level risk. The mitigation is the adoption of the `safetensors` format and security features like `trust_remote_code=False` in the Hugging Face libraries.

Sources

← Back to vulnerabilities