Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
The torch-checkpoint-shrink.py script in the ml-engineering project in commit 0099885db36a8f06556efe1faf552518852cb1e0 (2025-20-27) contains an insecure deserialization vulnerability (CWE-502). The script uses torch.load() to process PyTorch checkpoint files (.pt) without enabling the security-restrictive weights_only=True parameter. This oversight allows the deserialization of arbitrary Python objects via the pickle module. A remote attacker can exploit this by providing a maliciously crafted checkpoint file, leading to arbitrary code execution in the context of the user running the script.
AnalysisAI
Arbitrary code execution via torch-checkpoint-shrink.py script in ml-engineering project allows remote attackers to execute malicious Python code by providing crafted PyTorch checkpoint files. The vulnerability stems from insecure deserialization where torch.load() processes .pt files without the weights_only=True safeguard, enabling pickle-based arbitrary object instantiation. Despite a critical CVSS 9.8 score, EPSS probability is low (0.06%, 19th percentile) and no public exploit or active exploitation is confirmed, suggesting limited real-world targeting to date. SSVC assessment indicates total technical impact with automatable exploitation potential, making this a priority for organizations using ml-engineering scripts in production environments.
Technical ContextAI
This vulnerability exploits Python's pickle module, used by PyTorch's torch.load() function for serializing model checkpoints. Pickle can deserialize arbitrary Python objects, including those with __reduce__ methods that execute code during unpickling. The torch-checkpoint-shrink.py script at line 57 (commit 0099885db36a8f06556efe1faf552518852cb1e0) calls torch.load() without the weights_only=True parameter introduced in PyTorch 1.13+ to prevent arbitrary code execution. CWE-502 (Deserialization of Untrusted Data) occurs when applications deserialize data from untrusted sources without validation. In machine learning workflows, checkpoint files are often shared via repositories, cloud storage, or model hubs, creating multiple attack vectors. The CPE data is generic (n/a), indicating the vulnerability affects the ml-engineering GitHub repository scripts rather than a formally packaged product. The attack requires only that a victim process a malicious .pt file through this script, with no authentication barriers for file sourcing.
RemediationAI
Update the torch-checkpoint-shrink.py script by adding weights_only=True parameter to all torch.load() calls, specifically at line 57 where the vulnerability exists. Modify the code from torch.load(file_path) to torch.load(file_path, weights_only=True) to restrict deserialization to tensor data only. No formal patched release version exists as this is a script repository-users must manually apply the fix by editing their local copy or pulling updated commits if the maintainer has released a fix. As an immediate compensating control, implement input validation to process checkpoint files only from trusted, cryptographically verified sources such as signed model registries. Deploy the script in sandboxed execution environments (containers with no network access, restricted filesystem permissions, non-privileged user accounts) to limit blast radius of successful exploitation-note this reduces but does not eliminate risk as code execution still occurs within the sandbox context. For production ML pipelines, implement checkpoint integrity verification using cryptographic signatures before processing, and maintain an allowlist of approved checkpoint sources. Audit all PyTorch-using scripts for similar torch.load() calls without weights_only=True. Trade-off: weights_only=True may break compatibility with checkpoints containing custom objects or optimizer states-test thoroughly in development before production deployment.
More in Checkpoint
View allbackend/comics/comics-document.c (aka the comic book backend) in GNOME Evince before 3.24.1 allows remote attackers to e
The huggingface/transformers library is vulnerable to arbitrary code execution through deserialization of untrusted data
PyTorch is a Python package that provides tensor computation. [CVSS 8.8 HIGH]
Check Point ZoneAlarm Extreme Security before 15.8.211.19229 allows local users to escalate privileges. Rated high sever
Potentially allowing an attacker to read certain information on Check Point Security Gateways once connected to the inte
Remote code execution in PyTorch Lightning through 2.6.5 allows an attacker who can get a victim to load a malicious che
Check Point Endpoint Security Initial Client for Windows before version E81.30 tries to load a DLL placed in any PATH lo
A hard-link created from log file archive of Check Point ZoneAlarm up to 15.4.062 or Check Point Endpoint Security clien
Multiple unspecified vulnerabilities in Check Point Security Gateway 80 R71.x before R71.45 (730159141) and R75.20.x bef
Check Point Endpoint Security Client for Windows, with the VPN blade, before version E80.83, starts a process without us
Arbitrary code execution in Snorkel machine learning library (≤v0.10.0) occurs when users load malicious model checkpoin
Deserialization of Untrusted Data, Improper Input Validation vulnerability in Apache UIMA Java SDK, Apache UIMA Java SDK
Same weakness CWE-502 – Deserialization of Untrusted Data
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29498
GHSA-qw5f-8jqw-9832