Description
The torch-checkpoint-shrink.py script in the ml-engineering project in commit 0099885db36a8f06556efe1faf552518852cb1e0 (2025-20-27) contains an insecure deserialization vulnerability (CWE-502). The script uses torch.load() to process PyTorch checkpoint files (.pt) without enabling the security-restrictive weights_only=True parameter. This oversight allows the deserialization of arbitrary Python objects via the pickle module. A remote attacker can exploit this by providing a maliciously crafted checkpoint file, leading to arbitrary code execution in the context of the user running the script.
Published: 2026-05-12
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The torch-checkpoint-shrink.py script fails to set the security‑restrictive weights_only=True parameter when calling torch.load(), allowing arbitrary Python objects to be deserialized via pickle. This flaw is classified as CWE‑502 (Insecure Deserialization). An attacker who can supply a maliciously crafted .pt checkpoint file can trigger the script to execute arbitrary code in the environment of the user running the script, leading to complete compromise of that system.

Affected Systems

The vulnerability exists in the open‑source ml‑engineering project, specifically the torch-checkpoint-shrink.py script. Any installation of this script that is capable of processing external checkpoint files is affected; there are no vendor or product version details provided beyond the open‑source repository identifier.

Risk and Exploitability

With no EPSS data and not listed in CISA KEV, the risk is determined solely by the inherent severity of arbitrary code execution. The denial of the weights_only option creates a high‑severity vector; if a user runs the script with a malicious checkpoint, execution can occur with the user’s permissions. The unlikely requirement that the attacker must execute the script or supply a file derived from a trusted source means the vulnerability is mainly exploitable in controlled or insider scenarios, but the impact remains severe.

Generated by OpenCVE AI on May 12, 2026 at 17:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Modify the script to call torch.load(..., weights_only=True) before loading any checkpoint file.
  • Validate that any .pt file originates from a trusted source or use a safe deserialization method before passing it to torch.load().
  • Apply an updated version of the script when one becomes available, or replace the script with a hardened alternative that performs explicit type checking on loaded objects.

Generated by OpenCVE AI on May 12, 2026 at 17:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 18:15:00 +0000

Type Values Removed Values Added
Title Insecure deserialization in torch-checkpoint-shrink script leading to remote code execution

Tue, 12 May 2026 16:00:00 +0000

Type Values Removed Values Added
Description The torch-checkpoint-shrink.py script in the ml-engineering project in commit 0099885db36a8f06556efe1faf552518852cb1e0 (2025-20-27) contains an insecure deserialization vulnerability (CWE-502). The script uses torch.load() to process PyTorch checkpoint files (.pt) without enabling the security-restrictive weights_only=True parameter. This oversight allows the deserialization of arbitrary Python objects via the pickle module. A remote attacker can exploit this by providing a maliciously crafted checkpoint file, leading to arbitrary code execution in the context of the user running the script.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-12T15:04:31.056Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31214

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T16:16:13.270

Modified: 2026-05-12T16:16:13.270

Link: CVE-2026-31214

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T18:00:12Z

Weaknesses

No weakness.