Skip to main content

Python Pickle RCE: The Hidden Danger in AI Models

The Standard That Wasn't Built for Security

If you work in Data Science, you use pickle. It is the standard way to serialize Python objects, used by libraries like joblib, pandas, and historically, PyTorch.

However, the Python documentation itself carries a bright red warning: "The pickle module is not secure. Only unpickle data you trust."

The problem is that in the AI supply chain—downloading models from Hugging Face or GitHub—you are constantly unpickling data you don't trust.

How the Vulnerability Works

Pickle is not just a data format (like JSON). It is a stack-based virtual machine. When you load a pickle file, the Python interpreter executes a sequence of opcodes to reconstruct the object.

The vulnerability lies in the __reduce__ method. This magic method tells the pickler how to reconstruct an object. An attacker can override this method to return a callable (like os.system) and arguments (like "rm -rf /").

The Exploit Code

Here is how simple it is to create a malicious model:

import pickle
import os

class MaliciousModel:
    def __reduce__(self):
        # When this file is loaded, it executes 'whoami'
        return (os.system, ("whoami",))

# Save the "model"
with open("model.pkl", "wb") as f:
    pickle.dump(MaliciousModel(), f)

When a victim runs pickle.load(open("model.pkl", "rb")), the command executes immediately on their machine.

The Impact on AI

Attackers hide these payloads inside large .bin or .pkl files disguised as ResNet or BERT models. Since the file is binary, a human reviewer cannot see the malicious code by opening it in a text editor.

Defense Strategies

  1. Use Safer Formats: Whenever possible, use Safetensors or ONNX. These formats are purely data-driven and cannot execute code.
  2. Load with Caution: If you must use pickle, restrict the globals that can be loaded (though this is hard to implement correctly).
  3. Static Analysis:

You should scan pickle files before loading them. Veritensor implements a custom Pickle Virtual Machine that emulates the stack execution without actually running the code. It detects dangerous opcodes and imports like os, subprocess, or eval inside the file.

veritensor scan ./downloads/model.pkl

If the scanner detects CRITICAL: os.system (via STACK_GLOBAL), delete the file immediately.