PyTorch Deserialization Vulnerability in pt2 Loading Handler Allows Arbitrary Code Execution

A deserialization vulnerability has been identified in PyTorch version 2.10.0, specifically within the pt2 Loading Handler component. This issue arises because the 'torch.export.load' function does not include a parameter to ensure safe deserialization. As a result, if an untrusted .pt2 file is loaded—particularly one that indicates 'use_pickle: True' in its weights configuration or triggers an exception fallback during deserialization—the system may inadvertently revert to using pickle without proper safeguards. This behavior creates a substantial risk of arbitrary code execution, as the deserialization process can be exploited to execute malicious code under certain conditions.

Impact

Exploitation of this vulnerability could lead to arbitrary code execution on the system where PyTorch is running.

Reproduction

To reproduce this vulnerability, load a .pt2 file into PyTorch that has been crafted to include 'use_pickle: True' in its weights configuration. Alternatively, trigger the exception fallback in the 'deserialize_torch_artifact' function, which will cause the loading mechanism to revert to using pickle without the 'weights_only' restriction. This can be done by creating a .pt2 file that exploits this behavior or by manipulating the loading process to invoke the fallback.

Remediation

Users can update to PyTorch versions where this vulnerability has been addressed. The latest version can be downloaded from the official PyTorch website or through the PyTorch GitHub repository.