StyleGAN3 MFV PoC β RCE via Unsafe Pickle Deserialization
Vulnerability: RCE via pickle.load + exec() in custom unpickler mechanism
Path: torch_utils/persistence.py:87 (pickle.load) + :226 (exec in _src_to_module)
Attack Surface
1. Standard pickle RCE (CWE-502)
torch_utils/persistence.py:87: old_net = pickle.load(f)
malicious.pklβ uses__reduce__() β os.system
2. Custom exec()-based unpickler (CWE-95)
torch_utils/persistence.py:226: exec(src, module.__dict__)
malicious_exec_module_src.pklβ injects arbitrary Python code viamodule_srcfield
Additional pickle.load locations:
metrics/metric_utils.py:50,144dataset_tool.py:162
Impact
- Full RCE when loading ANY malicious .pkl network checkpoint
- Supply chain attack via model sharing
- Bypasses standard pickle RCE scanners (unique exec() path)
Trigger
python -c "
import pickle
with open('malicious.pkl', 'rb') as f:
pickle.load(f)
"
Project
Inference Providers NEW
This model isn't deployed by any Inference Provider. π Ask for provider support