Description
The torch-checkpoint-shrink.py script in the ml-engineering project in commit 0099885db36a8f06556efe1faf552518852cb1e0 (2025-20-27) contains an insecure deserialization vulnerability (CWE-502). The script uses torch.load() to process PyTorch checkpoint files (.pt) without enabling the security-restrictive weights_only=True parameter. This oversight allows the deserialization of arbitrary Python objects via the pickle module. A remote attacker can exploit this by providing a maliciously crafted checkpoint file, leading to arbitrary code execution in the context of the user running the script.
Published: 2026-05-12
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The torch-checkpoint-shrink.py script fails to set the security‑restrictive weights_only=True parameter when calling torch.load(), allowing arbitrary Python objects to be deserialized via pickle. This flaw is classified as CWE‑502 (Insecure Deserialization). An attacker who can supply a maliciously crafted .pt checkpoint file can trigger the script to execute arbitrary code in the environment of the user running the script, leading to complete compromise of that system.

Affected Systems

The vulnerability exists in the open‑source ml‑engineering project, specifically the torch-checkpoint-shrink.py script. Any installation of this script that is capable of processing external checkpoint files is affected; there are no vendor or product version details provided beyond the open‑source repository identifier.

Risk and Exploitability

With an EPSS score of <1% and not listed in CISA KEV, the CVSS score of 9.8 confirms an extremely high severity for arbitrary code execution. The lack of the weights_only parameter makes the script vulnerable to pickle deserialization of malicious objects. Because the attacker must provide a crafted checkpoint file to the script, exploitation is limited to scenarios where the script processes untrusted data; nevertheless, once executed the attack achieves full control of the running process.

Generated by OpenCVE AI on May 13, 2026 at 15:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Modify the script to call torch.load(..., weights_only=True) before loading any checkpoint file.
  • Validate that any .pt file originates from a trusted source or use a safe deserialization method before passing it to torch.load().
  • Apply an updated version of the script when one becomes available, or replace the script with a hardened alternative that performs explicit type checking on loaded objects.

Generated by OpenCVE AI on May 13, 2026 at 15:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 17 May 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Stas00
Stas00 ml-engineering
Vendors & Products Stas00
Stas00 ml-engineering

Wed, 13 May 2026 15:45:00 +0000

Type Values Removed Values Added
Title Insecure deserialization in torch-checkpoint-shrink script leading to remote code execution

Wed, 13 May 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-502
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 12 May 2026 18:15:00 +0000

Type Values Removed Values Added
Title Insecure deserialization in torch-checkpoint-shrink script leading to remote code execution

Tue, 12 May 2026 16:00:00 +0000

Type Values Removed Values Added
Description The torch-checkpoint-shrink.py script in the ml-engineering project in commit 0099885db36a8f06556efe1faf552518852cb1e0 (2025-20-27) contains an insecure deserialization vulnerability (CWE-502). The script uses torch.load() to process PyTorch checkpoint files (.pt) without enabling the security-restrictive weights_only=True parameter. This oversight allows the deserialization of arbitrary Python objects via the pickle module. A remote attacker can exploit this by providing a maliciously crafted checkpoint file, leading to arbitrary code execution in the context of the user running the script.
References

Subscriptions

Stas00 Ml-engineering
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-13T13:54:51.093Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31214

cve-icon Vulnrichment

Updated: 2026-05-13T13:53:29.786Z

cve-icon NVD

Status : Deferred

Published: 2026-05-12T16:16:13.270

Modified: 2026-05-13T15:51:52.177

Link: CVE-2026-31214

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-17T19:42:34Z

Weaknesses