Skip to content

SafeTensors vs Pickle: Why ML Supply Chain Security Matters

Source: SafeTensors vs Pickle \ Date Published: 2026 \ Author/Org: AIsbom

TL;DR

Python pickle has long been the default serialization format for PyTorch model weights, but it is fundamentally a stack-based virtual machine that allows arbitrary code execution through opcodes like GLOBAL and REDUCE — making it a severe supply chain risk. HuggingFace's SafeTensors offers a data-only alternative (JSON header + flat binary buffers) that eliminates remote code execution entirely, and enables zero-copy memory-mapped loading for faster performance. However, even after migration, threats persist: model weight tampering, license compliance violations, and dependency CVEs still need auditing. AIsbom is a static-analysis tool purpose-built for ML supply chain auditing.

The Pickle Problem

Python's pickle module is not a simple serialization format — it is a stack-based virtual machine with a full instruction set. The opcodes GLOBAL and REDUCE allow arbitrary Python objects to be instantiated during deserialization, which means any pickle file can execute arbitrary code on the machine that loads it.

For years, PyTorch used pickle as the default format for saving and loading model weights via torch.save() and torch.load(). Every time a researcher downloads a model from the HuggingFace Hub and loads it with PyTorch's default loader, they are implicitly trusting that the pickle file has not been tampered with. A malicious actor could inject code into a popular model checkpoint and compromise any machine that loads it — a textbook supply chain attack.

SafeTensors: A Safer Alternative

SafeTensors, developed by HuggingFace, redesigns model serialization from the ground up:

  • Data-only format: A JSON header describes the tensor metadata (names, shapes, dtypes, offsets), followed by flat binary buffers containing the raw tensor data.
  • No code execution: There is no opcode interpreter, no deserialization of arbitrary objects — just data parsing.
  • Zero-copy memory mapping: Because the tensor data is stored contiguously, SafeTensors enables mmap-based loading, which can be dramatically faster than pickle's deserialization.
  • Lazy loading: Tensors can be read selectively without loading the entire file into memory.

The format has been widely adopted across the HuggingFace ecosystem and is increasingly the recommended format for model distribution.

Beyond Serialization: Remaining Threats

Even with SafeTensors adoption, the ML supply chain threat model includes:

  1. Weight tampering: A model's weight values can be subtly modified to introduce backdoors or degrade performance — SafeTensors does not include built-in integrity verification.
  2. License compliance: Model weights may be distributed under licenses that restrict usage, and there are few automated tools to verify compliance.
  3. Dependency CVEs: The libraries used to load, run, or fine-tune models (PyTorch, Transformers, etc.) may have known vulnerabilities.
  4. Metadata spoofing: The JSON header could contain misleading information about the model's provenance.

AIsbom: ML Bill of Materials

AIsbom addresses these gaps by providing a static analysis tool that generates a Software Bill of Materials (SBOM) for ML models. It inspects model files, container images, and associated metadata to identify known vulnerabilities, license issues, and supply chain risks.

Key Takeaways

  1. Python pickle is a remote code execution vector disguised as a serialization format — it should never be used for untrusted model files.
  2. SafeTensors eliminates the RCE vector by storing only data (JSON + binary tensors) and enables zero-copy memory-mapped loading.
  3. The migration to SafeTensors is necessary but not sufficient — weight tampering, license compliance, and dependency CVEs remain open threats.
  4. Tools like AIsbom provide automated ML supply chain auditing, generating SBOMs for model artifacts.
  5. ML security is still in its infancy — the industry needs standardized auditing, signatures, and provenance tracking for model distribution.