This vulnerability stems from a fundamental design flaw in the deserialization of PyTorch models, which use the Pickle format to store model weights and support loading via torch.load(). To prevent malicious models from executing code, the official documentation strongly recommends using the weights_only=True parameter, which theoretically only allows loading raw data types such as "dictionaries, tensors, lists".
BREAKTHROUGH: Security researcher Ji'an Zhou discovered that the "fuse" for this parameter can be bypassed. An attacker can create specially constructed model files that disable the deserialization validation mechanism when weights_only=True to execute arbitrary Python code when the model is loaded - gaining the same system privileges as the PyTorch process.
Attack Scene:
Supply Chain Contamination: Malicious actors upload pre-trained models with backdoors to Hugging Face, developers download them and integrate them into their apps, automatically triggering RCEs
Lateral movement of cloud environments: compromised models can be used as springboards to access cloud storage (S3, GCS) or database credentials
Mass Deployment Danger: PyTorch Users in the Millions in Critical Areas Like Autonomous Driving, Medical Diagnostics, and Financial Modeling
Technical Depth: The vulnerability lies in the Pickle deserializer interpreting the opcodes sequentially and executing them as soon as it encounters a malicious instruction without waiting for full-text validation. An attacker can insert a malicious load into the beginning of a file, trigger the code and then insert bytes that destroy the file structure, escaping detection by blacklisting tools such as Picklescan.
Fixes and Impacts: A patch has been released for PyTorch 2.6.0, but there is a lag in the enterprise upgrade cycle. Recommendation: Disable models from untrustworthy sources, enable SafeTensors format substitution, implement model file integrity validation (hash checksum), and isolate model loading environments.
