YAML Metadata Warning:empty or missing yaml metadata in repo card
Check out the documentation for more information.
PoC: CoreMLTools Arbitrary Code Execution via Malicious Sensitivity File
Vulnerability
Apple's CoreMLTools library calls torch.load() without weights_only=True at three locations in sensitive_k_means.py (lines 540, 549, 649).
The SKMPalettizer.compress(sensitivity_path=...) method accepts a user-controlled file path and loads it via torch.load() without the safety flag, allowing arbitrary code execution via pickle deserialization.
Files
malicious_sensitivity.ptโ Crafted PyTorch checkpoint that executesidwhen loaded (305 bytes)create_malicious_pt.pyโ Script to generate the malicious .pt filepoc_coremltools_rce.pyโ Full PoC demonstrating the vulnerability
Reproduction
# Requires: pip install torch coremltools
python3 poc_coremltools_rce.py
# Or test just the torch.load part (no coremltools needed):
python3 poc_coremltools_rce.py --torch-only
Impact
- Arbitrary code execution when loading a crafted .pt file as sensitivity values
- Attack scenarios: shared ML training environments, CI/CD pipelines, tutorials with malicious downloads
NON-DESTRUCTIVE
This PoC only executes id to demonstrate code execution. No files are modified or deleted.
Inference Providers NEW
This model isn't deployed by any Inference Provider. ๐ Ask for provider support