PyTorch, Deserialization Vulnerability, CVE-2024-5480 (Critical)

Listen to this Post

The vulnerability resides in PyTorch’s `weights_only=True` unpickler, designed to safely load only model tensors from `.pth` checkpoint files. The security mechanism failed to properly validate low-level Pickle opcodes and tensor storage metadata during deserialization. Specifically, it incorrectly allowed the `SETITEM` and `SETITEMS` opcodes to be executed on non-dictionary Python objects. This flaw, combined with a lack of validation for declared storage size versus actual archived data, enables an attacker to craft a malicious file that corrupts the heap’s memory layout. By precisely manipulating these primitives, an attacker can overwrite critical pointers or data structures in memory. When the corrupted memory is later accessed or used by the PyTorch process, it can lead to a crash, data corruption, or the execution of attacker-controlled code, effectively bypassing the intended `weights_only` safety restriction.
Platform: PyTorch
Version: < 2.3.0
Vulnerability : Memory Corruption
Severity: Critical
Date: 2024-05-16

Prediction: 2024-05-30

What Undercode Say:

Analytics

Find potentially vulnerable load calls in codebase
grep -r "torch.load.weights_only=True" /path/to/project/
Example of a safe load call (but vulnerable before patch)
import torch
model = torch.load('checkpoint.pth', weights_only=True)
Check PyTorch version
python -c "import torch; print(torch.<strong>version</strong>)"

How Exploit

Malicious checkpoint payload structure
import pickle, torch
class MaliciousTensor:
def <strong>reduce</strong>(self):
Corrupting SETITEM opcode on non-dict
return (setattr, (..., ..., ...))
torch.save(MaliciousTensor(), 'exploit.pth')

Protection from this CVE

  • Update PyTorch
  • Verify checkpoint sources
  • Use virtual environments
  • Temporary workaround: Avoid `weights_only=True`

Impact

  • Arbitrary Code Execution
  • Memory Corruption
  • Bypass Safety Features
  • Local Privilege Escalation
  • Process Crash

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top