Security PoC — gated for review

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

This repository hosts a proof-of-concept malicious checkpoint for a coordinated huntr.com vulnerability disclosure. Access is restricted to security reviewers.

Log in or Sign Up to review the conditions and access this model content.

huggingface/accelerate Accelerator.load_state() — pickle RCE (PoC)

Proof-of-concept for a coordinated huntr.com disclosure against huggingface/accelerate.

custom_checkpoint_0.pkl is a crafted accelerate custom-state checkpoint. Resuming through the public API:

from accelerate import Accelerator
acc = Accelerator(); acc.register_for_checkpointing(obj)
acc.load_state("<dir containing custom_checkpoint_0.pkl>")   # RCE

triggers arbitrary OS command execution: load_state()load_custom_state()torch.load(..., weights_only=False) (src/accelerate/checkpointing.py), which deserializes pickle and honors __reduce__. Vulnerable on every torch version (the flag is explicit).

The bundled payload is benign — runs id, writes /tmp/accelerate_pwned.txt. Gated (manual approval) so the PoC is not freely downloadable; access granted to huntr's reviewer (protectai-bot).

Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support