PyTorch Subverted Loading Mechanism Triggering ACE

Q: Bu risk sadece prompt injection ile mi sınırlı?

Hayır. AI güvenliğinde prompt injection önemli bir başlangıçtır ama tek başına resmi anlatmaz. Retrieval katmanı, tool izinleri, model artefact güveni, loglarda hassas veri, kullanıcı yetkisi ve entegrasyon sınırları birlikte değerlendirilmelidir.

Q: İlk teknik kontrol ne olmalı?

Önce sistemin hangi veriye eriştiği, hangi aksiyonları alabildiği ve bu aksiyonların hangi kimlikle çalıştığı haritalanmalıdır. Bu harita olmadan yapılan test genellikle birkaç prompt denemesinden öteye geçemez.

Q: Ne zaman profesyonel destek gerekir?

AI uygulaması müşteri verisine, iç dokümana, üretim API’lerine veya otomatik aksiyon alan agent akışlarına erişiyorsa profesyonel güvenlik incelemesi gerekir. Bu noktada risk artık model cevabı değil, kurum içi yetki ve veri sınırıdır.

Overview

PyTorch is one of the world's most dominant deep learning frameworks. Historically, PyTorch serialized its network structures utilizing the native Python pickle construct, resulting in files (typically .pt or .pth) that possessed dangerous capabilities. The PAIT-PYTCH-100 vulnerability occurs when Eresus Sentinel prevents a malicious PyTorch artifact from weaponizing the torch.load() function to trigger Arbitrary Code Execution (ACE) on your cloud servers.

To mitigate legacy threats, PyTorch introduced the weights_only=True parameter. This parameter explicitly restricts the object unpickler to load only tensors, primitives, and dictionaries—flatly forbidding custom classes. However, attackers continuously discover deep-level bypasses (e.g., CVE-2025-32434), forcing the loader to deserialize maliciously crafted Python globals despite the security flags being present.

The Threat of Execution Bypasses

If your pipeline registers this alert, a threat actor has compiled an advanced exploitation payload structurally mapped to deceive typical PyTorch loading schemas. Even if the data scientist intended to securely inspect the weights, the payload is executing nested remote commands (like installing backdoor agents or stealing datasets) the fraction of a second the torch.load() evaluation loop fires in memory.

How The Attack Works

Threat actors study the internal security restrictions of the torch.load mechanism (such as allowed globals within PyTorch versions <= 2.5.1) and utilize unpatched loopholes to chain together hostile system opcodes within the model's metadata headers.

sequenceDiagram
    participant Hacker
    participant PyTorch_Hub as Open Model Ecosystem
    participant Cloud_GPU as Victim Inference Node
    participant Shell as Subprocess Exec

    Hacker->>Hacker: Crafts payload targeting allowed PyTorch globals
    Hacker->>PyTorch_Hub: Uploads 'ResNet50-Optimized.pth'
    Cloud_GPU->>PyTorch_Hub: Pulls the PyTorch artifact for inference
    Cloud_GPU->>Cloud_GPU: Executes `torch.load(file, weights_only=True)`
    Cloud_GPU->>Cloud_GPU: Sophisticated exploit bypasses tensor-only restrictions
    Cloud_GPU->>Shell: Spawns unauthorized RCE via mapped opcode chains
    Shell-->>Hacker: Attacker gains shell context on expensive GPU instance

Key Points

Security Parameter Illusions: Developers frequently rely on weights_only=True as a definitive shield against malicious actors. This vulnerability class proves that relying on parameterized restrictions against fundamentally unsafe (Pickle-based) file architectures is insufficient.
Version Specific Exploitations: Attackers explicitly build .pth payloads that exploit known deserialization flaws present in extremely common unpatched legacy versions of PyTorch (v2.0 - v2.5.1).
Silent Background Execution: The PyTorch framework may genuinely complete loading the expected mathematical tensor components into the script, blinding researchers to the parallel execution thread running malware.

Impact

Because PyTorch processes usually demand vast resource allocations (High-VRAM GPU matrices and terabytes of training data), a successful breach directly compromises an organization's most expensive hardware. Intruders can hijack GPU infrastructure to silently run persistent cryptocurrency miners, or immediately exfiltrate proprietary corporate data sets through the compromised Python environment's network bindings.

Best Practices

Switch to Safetensors Native Loading: The undeniable, industry-agreed solution is abandoning .pt/.pth file extensions entirely in favor of .safetensors. This open format inherently disables executable deserialization loops, fundamentally neutering any potential code execution logic.
Aggressive Version Patching: Ensure your entire production infrastructure is universally upgraded. PyTorch v2.6.0 patched critical weights_only bypass vulnerabilities. Unpatched clusters remain extremely volatile targets.
Air-Gapped Evaluations: If loading an archaic open-source .pt checkpoint is unavoidable, do so within a strictly walled, isolated namespace with completely revoked network ingress/egress policies and limited filesystem privileges.

Remediation

If an Eresus PAIT-PYTCH-100 alarm triggers, sever the network bindings of the container processing the payload immediately. Dump system kernel logs locally to evaluate how deeply the executing shell penetrated the host architecture. Verify your internal infrastructure pipeline, systematically purging all references and local copies of the identified .pth asset from S3 buckets, internal registries, and workspace caches. Migrate the underlying model mathematically into a modern Safetensors variant.

SSS

Bu risk sadece prompt injection ile mi sınırlı?