AI Threat Alert

CVE-2021-4118: pytorch-lightning: deserialization RCE via malicious checkpoint

HIGH PoC AVAILABLE
Published December 23, 2021
CISO Take

Any ML engineer loading a checkpoint file from an untrusted source—shared S3 bucket, model registry, or colleague's drive—can trigger arbitrary code execution on their workstation or training server. Upgrade pytorch-lightning immediately and restrict checkpoint ingestion to internally-generated, integrity-verified files only. This is a realistic insider threat and supply chain vector for organizations with active ML training workflows.

What is the risk?

High risk for organizations running ML training workflows. The local attack vector and required user interaction limit opportunistic exploitation, but in practice ML teams routinely share .ckpt files via cloud storage, model registries, and internal repos—creating realistic supply chain and insider threat paths. Training processes often run with elevated permissions or cloud IAM roles, amplifying the blast radius beyond the CVSS 7.8 score suggests.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
PyTorch pip No patch
100.9K OpenSSF 6.4 22.7K dependents Pushed 3d ago 11% patched ~216d to patch Full package profile →

Do you use PyTorch? You're affected.

How severe is it?

CVSS 3.1
7.8 / 10
EPSS
1.0%
chance of exploitation in 30 days
Higher than 58% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Local
AC Low
PR None
UI Required
S Unchanged
C High
I High
A High

What should I do?

6 steps

  1. Upgrade pytorch-lightning to a patched version per commit 62f1e82e.

  2. Audit all CI/CD and MLOps pipelines for external checkpoint ingestion points.

  3. Restrict checkpoint loading to internally-generated files with cryptographic integrity checks (SHA-256 manifest).

  4. Use picklescan or modelscan to scan existing .ckpt files for malicious payloads before loading.

  5. Never load checkpoint files from untrusted sources without sandboxing (e.g., isolated container with no network/credential access).

  6. Monitor for anomalous subprocess spawning or outbound connections during model loading in SIEM/EDR.

How is it classified?

Code Execution Supply Chain Framework Training Data AML.T0010.001 AML.T0011.000 AML.T0011.001 AML.T0018.002

Which compliance frameworks are affected?

This CVE is relevant to:

ISO 42001
A.5.2 - AI system risk management A.6.2 - AI system operation and monitoring
NIST AI RMF
GOVERN 1.1 - Organizational risk policies for AI MAP 1.5 - AI supply chain risk identification
OWASP LLM Top 10
LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2021-4118?

Any ML engineer loading a checkpoint file from an untrusted source—shared S3 bucket, model registry, or colleague's drive—can trigger arbitrary code execution on their workstation or training server. Upgrade pytorch-lightning immediately and restrict checkpoint ingestion to internally-generated, integrity-verified files only. This is a realistic insider threat and supply chain vector for organizations with active ML training workflows.

Is CVE-2021-4118 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-4118, increasing the risk of exploitation.

How to fix CVE-2021-4118?

1. Upgrade pytorch-lightning to a patched version per commit 62f1e82e. 2. Audit all CI/CD and MLOps pipelines for external checkpoint ingestion points. 3. Restrict checkpoint loading to internally-generated files with cryptographic integrity checks (SHA-256 manifest). 4. Use picklescan or modelscan to scan existing .ckpt files for malicious payloads before loading. 5. Never load checkpoint files from untrusted sources without sandboxing (e.g., isolated container with no network/credential access). 6. Monitor for anomalous subprocess spawning or outbound connections during model loading in SIEM/EDR.

What systems are affected by CVE-2021-4118?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, MLOps pipelines, collaborative ML workflows.

What is the CVSS score for CVE-2021-4118?

CVE-2021-4118 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.98%.

What is the AI security impact?

Affected AI Architectures

training pipelinesmodel servingMLOps pipelinescollaborative ML workflows

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0011.000 Unsafe AI Artifacts
AML.T0011.001 Malicious Package
AML.T0018.002 Embed Malware

Compliance Controls Affected

ISO 42001: A.5.2, A.6.2
NIST AI RMF: GOVERN 1.1, MAP 1.5
OWASP LLM Top 10: LLM03:2025

What are the technical details?

Original Advisory

pytorch-lightning is vulnerable to Deserialization of Untrusted Data

Exploitation Scenario

An adversary targeting an ML team uploads a weaponized .ckpt checkpoint file to a shared S3 bucket or internal model registry used by the organization—either via a compromised contributor account or a malicious open-source contribution. A data scientist or MLOps engineer loads the checkpoint to resume a training run. pytorch-lightning deserializes the file using Python's pickle protocol, executing the embedded payload. The attacker gains a reverse shell running as the training process, harvests AWS/GCP metadata service credentials, exfiltrates proprietary model weights, and establishes persistence in the ML infrastructure.

Weaknesses (CWE)

CWE-502 Deserialization of Untrusted Data

CWE-502 — Deserialization of Untrusted Data: The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

  • [Architecture and Design, Implementation] If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
  • [Implementation] When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Timeline

Published
December 23, 2021
Last Modified
November 21, 2024
First Seen
December 23, 2021

Related Vulnerabilities

CRITICAL CVE-2023-43654 9.8

TorchServe: SSRF + RCE via unrestricted model URL loading

Same package: torch
CRITICAL CVE-2024-5452 9.8

pytorch-lightning: RCE via deepdiff Delta deserialization

Same package: torch
CRITICAL CVE-2022-0845 9.8

pytorch-lightning: code injection enables full RCE

Same package: torch
CRITICAL CVE-2022-45907 9.8

PyTorch: RCE via unsafe eval in JIT annotations

Same package: torch
CRITICAL CVE-2024-35198 9.8

TorchServe: URL bypass enables arbitrary model loading

Same package: torch
Back to Threat Feed