MMEngine D61 checkpoint config execution PoC
This repository contains a private/gated proof of concept for a vulnerability in
OpenMMLab MMEngine versions >=0.5.0, <=0.10.7.
The issue is not a pickle-gadget exploit. The malicious .pth checkpoint
contains only primitive dict/string values and can pass:
torch.load("evil.pth", map_location="cpu", weights_only=True)
Execution occurs afterward when MMEngine recovers
checkpoint["message_hub"]["runtime_info"]["cfg"] and parses it as Python via
Config.fromstring(..., file_format=".py").
Files
evil.pth- generated proof-of-concept checkpoint.generate_malicious.py- regeneratesevil.pth.load_driver.py- loads the checkpoint withweights_only=Trueand triggers MMEngine config parsing.requirements.txt- tested dependencies.
Reproduction
python -m pip install -r requirements.txt
python load_driver.py --checkpoint evil.pth --canary /tmp/d61-mmengine-canary
Expected output includes:
loaded_type=dict
cfg_type=str
state_dict_type=dict
canary_exists=True
canary_contents=d61
Affected versions
mmengine >=0.5.0, <=0.10.7- Patched version: none known at submission time.
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support