Stanza: Remote Code Execution via Unsafe Pickle Deserialization in Model Loaders
Stanza 1.12.0 attempts to safely load PyTorch checkpoint files using torch.load(…, weights_only=True), but automatically falls back to the fully unsafe torch.load(…, weights_only=False) when the safe load raises pickle.UnpicklingError. Because the UnpicklingError condition is fully attacker-controllable, any .pt file that contains a single unsupported pickle global will trigger it. An attacker who can place a malicious pretrain or model file on disk (via supply-chain compromise, a poisoned model repository, or a …