Skip to content

fix: add weights_only=True to torch.load calls in apply_delta.py#3863

Open
Chessing234 wants to merge 1 commit intolm-sys:mainfrom
Chessing234:fix/apply-delta-weights-only-torch-load
Open

fix: add weights_only=True to torch.load calls in apply_delta.py#3863
Chessing234 wants to merge 1 commit intolm-sys:mainfrom
Chessing234:fix/apply-delta-weights-only-torch-load

Conversation

@Chessing234
Copy link
Copy Markdown

@Chessing234 Chessing234 commented May 2, 2026

Bug

All four torch.load() calls in apply_delta.py omit weights_only=True. Without this flag, PyTorch uses pickle deserialization, which allows a maliciously crafted .bin checkpoint to execute arbitrary code on the host machine when loaded.

Root cause

torch.load defaults to weights_only=False for backward compatibility. PyTorch has deprecated this default since 2.0 and will raise a FutureWarning in affected versions. Explicitly passing weights_only=True restricts loading to tensor data only.

Fix

Add weights_only=True to all four torch.load() calls — lines 37, 90, 97, and 102 — in split_files and apply_delta_low_cpu_mem. No behavior change for legitimate .bin files containing only tensors.

Fixes #3777

@Chessing234
fix: add weights_only=True to torch.load calls in apply_delta.py
ce38b0f 
torch.load without weights_only=True uses pickle deserialization, which
allows arbitrary code execution from a malicious checkpoint file. Pass
weights_only=True to all four torch.load calls so only tensor data is
loaded.

Fixes lm-sys#3777
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Pickle Deserialization RCE via torch.load()

1 participant

@Chessing234