YAML Metadata Warning:empty or missing yaml metadata in repo card
Check out the documentation for more information.
PyTorch .pt RCE PoC - importlib.import_module + operator.methodcaller ModelScan Bypass
Vulnerability
Malicious .pt file achieves Remote Code Execution via pickle deserialization using importlib.import_module + operator.methodcaller, bypassing ModelScan's unsafe_globals blocklist.
PyTorch .pt files (ZIP format) contain data.pkl which is deserialized via pickle when loaded with torch.load().
ModelScan Bypass
ModelScan's PyTorchUnsafeOpScan first checks if the file is a ZIP file. If it is, the scanner returns None (skips scanning entirely). Even if the scanner did parse the pickle, the payload only uses unblocked globals:
importlib.import_module(NOT in blocklist)operator.methodcaller(NOT in blocklist)
Reproduction
import torch
model = torch.load("model.pt", weights_only=False) # RCE occurs here
Check /tmp/pytorch_rce_proof for execution evidence.
Impact
Arbitrary command execution when a user loads a malicious .pt model file.
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support