PoC β€” Torch Export (.pt2) scanner bypass β†’ RCE via torch.export.load() weights_only=False fallback

Security research proof-of-concept for the huntr Model File Vulnerability (MFV) program (Torch Export format). Benign payload β€” writes /tmp/huntr_pt2_fallback_marker with the loading uid; no destructive action.

A malicious .pt2 archive that picklescan 1.0.4 and modelscan 0.8.8 both report clean, yet executes code on the standard torch.export.load() call:

  1. Both scanners' directory walk skips the .pt2 extension β†’ the archive is never opened.
  2. torch.export.load() β†’ deserialize_torch_artifact() tries torch.load(..., weights_only=True) and, on failure, silently falls back to weights_only=False, unpickling attacker reduce gadgets and negating PyTorch 2.6's safe default.

Files

  • model.pt2 β€” malicious export archive (nested example-inputs pickle replaced by a payload).
  • benign.pt2 β€” unmodified negative control (loads without firing).
  • build_poc.py β€” reproducible builder (benign payload; no build-time side effects).

Reproduce

pip install picklescan modelscan torch
python -c "from picklescan.scanner import scan_directory_path as s; print('infected =', s('.').infected_files)"  # 0
modelscan -p model.pt2          # No issues found! πŸŽ‰
rm -f /tmp/huntr_pt2_fallback_marker
python -c "import torch; torch.export.load('model.pt2')"
cat /tmp/huntr_pt2_fallback_marker

Reported via huntr. For defensive/research use only.

Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. πŸ™‹ Ask for provider support