From f322a5f08e6c1d1f906b75c1c10befebb534bd42 Mon Sep 17 00:00:00 2001 From: tomaioo Date: Tue, 26 May 2026 17:13:17 -0700 Subject: [PATCH] fix(prime_rl): unsafe torch.load with weights_only=false enables In `CheckpointManager.load_from_path()`, `torch.load()` is called with `weights_only=False` (line with `torch.load(f, weights_only=False)`). This is a critical security vulnerability because it allows arbitrary Python code execution during checkpoint deserialization. An attacker who can control the checkpoint file can execute arbitrary code on the system. The `weights_only=False` parameter disables PyTorch's safe unpickling mode, which was the default behavior in older PyTorch versions but is known to be dangerous. Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com> --- src/prime_rl/orchestrator/ckpt.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/prime_rl/orchestrator/ckpt.py b/src/prime_rl/orchestrator/ckpt.py index 19277e3063..b98123b61c 100644 --- a/src/prime_rl/orchestrator/ckpt.py +++ b/src/prime_rl/orchestrator/ckpt.py @@ -57,7 +57,7 @@ def load_from_path(self, ckpt_path: Path, progress: Progress, buffer: Buffer) -> self.logger.info("Skipping progress loading from checkpoint") else: with open(ckpt_path / "progress.pt", "rb") as f: - state = torch.load(f, weights_only=False) + state = torch.load(f, weights_only=True) # Set progress in-place for key, value in asdict(state["progress"]).items():