PoC β Torch Export (.pt2) scanner bypass β RCE via torch.export.load() weights_only=False fallback
Security research proof-of-concept for the huntr Model File Vulnerability (MFV) program
(Torch Export format). Benign payload β writes /tmp/huntr_pt2_fallback_marker with the loading
uid; no destructive action.
A malicious .pt2 archive that picklescan 1.0.4 and modelscan 0.8.8 both report clean, yet
executes code on the standard torch.export.load() call:
- Both scanners' directory walk skips the
.pt2extension β the archive is never opened. torch.export.load()βdeserialize_torch_artifact()triestorch.load(..., weights_only=True)and, on failure, silently falls back toweights_only=False, unpickling attacker reduce gadgets and negating PyTorch 2.6's safe default.
Files
model.pt2β malicious export archive (nested example-inputs pickle replaced by a payload).benign.pt2β unmodified negative control (loads without firing).build_poc.pyβ reproducible builder (benign payload; no build-time side effects).
Reproduce
pip install picklescan modelscan torch
python -c "from picklescan.scanner import scan_directory_path as s; print('infected =', s('.').infected_files)" # 0
modelscan -p model.pt2 # No issues found! π
rm -f /tmp/huntr_pt2_fallback_marker
python -c "import torch; torch.export.load('model.pt2')"
cat /tmp/huntr_pt2_fallback_marker
Reported via huntr. For defensive/research use only.
Inference Providers NEW
This model isn't deployed by any Inference Provider. π Ask for provider support