Safe Harbor or Hostile Waters: Unveiling the Hidden Perils of the TorchScript Engine in PyTorch

Presented at DEF CON 33 (2025), Aug. 8, 2025, noon (45 minutes).

PyTorch is a machine learning library based on the Torch library, used for applications such as computer vision and natural language processing. It is one of the most popular deep learning frameworks. However, beneath its powerful capabilities lies a potential security risk. Initially, PyTorch used pickle to save models, but due to the insecurity of pickle deserialization, there was a risk of Remote Code Execution (RCE) when loading models. Subsequently, PyTorch introduced the weights_only parameter to enhance security. The official documentation states that weights_only=True is considered safe and recommends using it over weights_only=False. For years, the security of weights_only=True remained unchallenged. Our research, however, uncovered unsettling truths. We discovered that torch.load with weights_only=True supports TorchScript, leading us to delve into TorchScript's inner workings. After a period of research, we discovered several vulnerabilities and ultimately achieved RCE. We promptly reported this finding to PyTorch, who acknowledged the vulnerability and assigned us CVE-2025-32434. This revelation overturns established understandings and has profound implications for numerous AI applications. We will provide an in-depth analysis of the impact of this vulnerability. In this sharing, we will introduce how we gained inspiration and discovered this interesting vulnerability. Meanwhile, our findings once again confirm the statement, "The Safe Harbor you once thought was actually Hostile Waters."

Presenters:

• Ji'an "azraelxuemo" Zhou
  Ji'an Zhou is a Security Engineer in Alibaba Cloud. He is focusing on Java security and cloud native security and his work helped many high-profile vendors improve their products' security, including Google, Amazon, Cloudera, IBM, Microsoft, Oracle. He has previously spoken at Black Hat , Zer0Con, Off-by-One Con.
• Lishuo "ret2ddme" Song
  Li'shuo Song is a Security Engineer at Alibaba Cloud. He focuses on browser security and has found several security bugs in Google Chrome.

Similar Presentations:

• CanSecWest 2024 / The DL on LLM Code Analysis
• Black Hat USA 2011 / Sour Pickles