Unveiling the Hidden Perils of the TorchScript Engine in PyTorch
Black Hat USA 2025 · Day 1 · Briefings
PyTorch's `weights_only=True` parameter — the standard fix for `pickle`-based RCE in ML model loading — does not actually prevent code execution when loading TorchScript (`.pt`) files, because the TorchScript engine processes a separate code path with over 2,000 built-in operators. Alibaba Cloud researchers discovered two operators (`save` and `from_file`) that enable arbitrary file write and read, confirmed RCE against VLLM and Hugging Face Transformers, and reported a heap overflow in the same code path. Both ecosystems have now patched, but hard-coded PyTorch version pins in downstream projects left users exposed long after fixes were available. ---
AI review
Zhou and Song blew a hole in the `weights_only=True` cargo cult. The entire ML ecosystem was treating this parameter as a security boundary when it was actually an open window to 2,000+ operators with file read/write primitives inside. Confirmed RCE against VLLM and Hugging Face Transformers, heap overflow on top — this is the real deal.