StyleGAN3 MFV PoC β€” RCE via Unsafe Pickle Deserialization

Vulnerability: RCE via pickle.load + exec() in custom unpickler mechanism

Path: torch_utils/persistence.py:87 (pickle.load) + :226 (exec in _src_to_module)

Attack Surface

1. Standard pickle RCE (CWE-502)

torch_utils/persistence.py:87: old_net = pickle.load(f)

  • malicious.pkl β€” uses __reduce__() β†’ os.system

2. Custom exec()-based unpickler (CWE-95)

torch_utils/persistence.py:226: exec(src, module.__dict__)

  • malicious_exec_module_src.pkl β€” injects arbitrary Python code via module_src field

Additional pickle.load locations:

  • metrics/metric_utils.py:50,144
  • dataset_tool.py:162

Impact

  • Full RCE when loading ANY malicious .pkl network checkpoint
  • Supply chain attack via model sharing
  • Bypasses standard pickle RCE scanners (unique exec() path)

Trigger

python -c "
import pickle
with open('malicious.pkl', 'rb') as f:
    pickle.load(f)
"

Project

https://github.com/NVlabs/stylegan3

Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. πŸ™‹ Ask for provider support