torch.load of Hugging Face pytorch_model.bin in Mamba from_pretrainedMITRE service request: 1988584
Status: RESERVED (pending a qualifying public reference per CNA Rules §5.3).
The mamba language model framework thru 2.2.6 is vulnerable to insecure deserialization (CWE-502) when loading pre-trained models from HuggingFace Hub. The MambaLMHeadModel.from_pretrained() method uses torch.load() to load the pytorch_model.bin weight file without enabling the security-restrictive weights_only=True parameter. This allows the deserialization of arbitrary Python objects via the pickle module. An attacker can exploit this by publishing a malicious model repository on HuggingFace Hub. When a victim loads a model from this repository, arbitrary code is executed on the victim’s system in the context of the mamba process.
Loading a malicious Hugging Face repo causes MambaLMHeadModel.from_pretrained to torch.load pytorch_model.bin with full pickle gadgets—classic supply-chain RCE against researchers running benchmark scripts.
10b5d6358f27966f6a40e4bf0baa17a460688128).-model-name attacker/repo style CLI usage.torch.load on cached pytorch_model.bin.High — Hugging Face typosquatting is common.
safetensors conversions when available; upgrade TBD.