AI Threat Alert AI Threat Alert

CVE-2021-4118: pytorch-lightning: deserialization RCE via malicious checkpoint

HIGH PoC AVAILABLE
Published December 23, 2021
CISO Take

Any ML engineer loading a checkpoint file from an untrusted source—shared S3 bucket, model registry, or colleague's drive—can trigger arbitrary code execution on their workstation or training server. Upgrade pytorch-lightning immediately and restrict checkpoint ingestion to internally-generated, integrity-verified files only. This is a realistic insider threat and supply chain vector for organizations with active ML training workflows.

Risk Assessment

High risk for organizations running ML training workflows. The local attack vector and required user interaction limit opportunistic exploitation, but in practice ML teams routinely share .ckpt files via cloud storage, model registries, and internal repos—creating realistic supply chain and insider threat paths. Training processes often run with elevated permissions or cloud IAM roles, amplifying the blast radius beyond the CVSS 7.8 score suggests.

Affected Systems

Package Ecosystem Vulnerable Range Patched
pytorch_lightning pip No patch
99.8K OpenSSF 6.4 21.9K dependents Pushed today 8% patched ~142d to patch Full package profile →

Do you use pytorch_lightning? You're affected.

Severity & Risk

CVSS 3.1
7.8 / 10
EPSS
0.3%
chance of exploitation in 30 days
Higher than 50% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Local
AC Low
PR None
UI Required
S Unchanged
C High
I High
A High

Recommended Action

6 steps

  1. Upgrade pytorch-lightning to a patched version per commit 62f1e82e.

  2. Audit all CI/CD and MLOps pipelines for external checkpoint ingestion points.

  3. Restrict checkpoint loading to internally-generated files with cryptographic integrity checks (SHA-256 manifest).

  4. Use picklescan or modelscan to scan existing .ckpt files for malicious payloads before loading.

  5. Never load checkpoint files from untrusted sources without sandboxing (e.g., isolated container with no network/credential access).

  6. Monitor for anomalous subprocess spawning or outbound connections during model loading in SIEM/EDR.

Classification

Code Execution Supply Chain Framework Training Data AML.T0010.001 AML.T0011.000 AML.T0011.001 AML.T0018.002

Compliance Impact

This CVE is relevant to:

ISO 42001
A.5.2 - AI system risk management A.6.2 - AI system operation and monitoring
NIST AI RMF
GOVERN 1.1 - Organizational risk policies for AI MAP 1.5 - AI supply chain risk identification
OWASP LLM Top 10
LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2021-4118?

Any ML engineer loading a checkpoint file from an untrusted source—shared S3 bucket, model registry, or colleague's drive—can trigger arbitrary code execution on their workstation or training server. Upgrade pytorch-lightning immediately and restrict checkpoint ingestion to internally-generated, integrity-verified files only. This is a realistic insider threat and supply chain vector for organizations with active ML training workflows.

Is CVE-2021-4118 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-4118, increasing the risk of exploitation.

How to fix CVE-2021-4118?

1. Upgrade pytorch-lightning to a patched version per commit 62f1e82e. 2. Audit all CI/CD and MLOps pipelines for external checkpoint ingestion points. 3. Restrict checkpoint loading to internally-generated files with cryptographic integrity checks (SHA-256 manifest). 4. Use picklescan or modelscan to scan existing .ckpt files for malicious payloads before loading. 5. Never load checkpoint files from untrusted sources without sandboxing (e.g., isolated container with no network/credential access). 6. Monitor for anomalous subprocess spawning or outbound connections during model loading in SIEM/EDR.

What systems are affected by CVE-2021-4118?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, MLOps pipelines, collaborative ML workflows.

What is the CVSS score for CVE-2021-4118?

CVE-2021-4118 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.27%.

Technical Details

NVD Description

pytorch-lightning is vulnerable to Deserialization of Untrusted Data

Exploitation Scenario

An adversary targeting an ML team uploads a weaponized .ckpt checkpoint file to a shared S3 bucket or internal model registry used by the organization—either via a compromised contributor account or a malicious open-source contribution. A data scientist or MLOps engineer loads the checkpoint to resume a training run. pytorch-lightning deserializes the file using Python's pickle protocol, executing the embedded payload. The attacker gains a reverse shell running as the training process, harvests AWS/GCP metadata service credentials, exfiltrates proprietary model weights, and establishes persistence in the ML infrastructure.

Weaknesses (CWE)

CWE-502

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Timeline

Published
December 23, 2021
Last Modified
November 21, 2024
First Seen
December 23, 2021

Related Vulnerabilities

CRITICAL CVE-2023-43654 9.8

TorchServe: SSRF + RCE via unrestricted model URL loading

Same package: torch
CRITICAL CVE-2024-5452 9.8

pytorch-lightning: RCE via deepdiff Delta deserialization

Same package: torch
CRITICAL CVE-2022-0845 9.8

pytorch-lightning: code injection enables full RCE

Same package: torch
CRITICAL CVE-2022-45907 9.8

PyTorch: RCE via unsafe eval in JIT annotations

Same package: torch
CRITICAL CVE-2024-35198 9.8

TorchServe: URL bypass enables arbitrary model loading

Same package: torch
Back to Threat Feed