The Open Weight Vulnerability

Unlike traditional software libraries, which are scanned for CVEs, machine learning models consist of billions of floating-point numbers stored in large binary weights (e.g., PyTorch .bin or .pt files). These files can contain embedded code execution payloads. If a developer downloads a model from a public hub like Hugging Face without verification, they are executing unverified binary files on their GPU clusters.

Furthermore, attackers can poison model weights by fine-tuning open-source LLMs to contain backdoors—such as generating vulnerable code or leaking specific inputs when triggered by secret keywords.

Hardening the ML Supply Chain

To secure model weight distribution pipelines, ML engineering teams must implement strict validation gateways:

  • Safetensors Adoption: Enforce the use of .safetensors files instead of pickle-based PyTorch weights, eliminating file-level code execution vulnerabilities.
  • Hash and Checksum Verification: Validate weight files against secure, published cryptographic hashes before loading them into runtime memory.
  • Backdoor Detection Pipelines: Run unit-test evaluation suites on newly loaded models to verify they perform consistently and do not respond to specific activation triggers.