Skip to content

[Discussion] Evaluate safer serialization alternatives to pickle/torch.load #1055

New issue
New issue
Open
Open
[Discussion] Evaluate safer serialization alternatives to pickle/torch.load#1055
Assignees
kevalmorabia97
Labels
feature requestNew feature or requesttorch.quantizationtriaged
@RinZ27

Description

@RinZ27
RinZ27
opened on Mar 17, 2026

Several core modules (e.g., modelopt/torch/opt/plugins/megatron.py, distribute.py) currently rely on torch.load(weights_only=False) and pickle.loads for state management. While these are documented as internal use cases, they present RCE risks if checkpoints are sourced from untrusted environments (e.g., public hubs).

I suggest exploring safetensors or implementing strict safe_globals allowlists for future releases to harden the library against malicious model files.

Metadata

Metadata

Assignees

Labels

feature requestNew feature or requesttorch.quantizationtriaged

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions