Set weights_only=True when using torch.load()

[russellb]

The default behavior of torch.load() uses pickle to deserialize
data, which is known to be insecure when used with untrusted data
sources. vLLM used torch.load() with data pulled from potentially
untrusted sources (huggingface). This could potentially allow
malicious code execution on a machine that tried to run a malicious or
compromised model using vllm.

Fixes GHSA-rh4j-5rhw-hr54.

Thank you to @DogeWatch for the report.

Signed-off-by: Russell Bryant [email protected]

[github-actions]

👋 Hi! Thank you for contributing to the vLLM project.
Just a reminder: PRs would not trigger full CI run by default. Instead, it would only run fastcheck CI which starts running only a small and essential subset of CI tests to quickly catch errors. You can run other CI tests on top of those by going to your fastcheck build on Buildkite UI (linked in the PR checks section) and unblock them. If you do not have permission to unblock, ping simon-mo or khluu to add you in our Buildkite org.

Once the PR is approved and ready to go, your PR reviewer(s) can run CI to test the changes comprehensively before merging.

To run CI, PR reviewers can do one of these:

• Add ready label to the PR
• Enable auto-merge.

🚀

[njhill]

Thanks @russellb

[mgoin]

This seems reasonable. FYI this will become the default behavior in upcoming torch 2.6 https://dev-discuss.pytorch.org/t/bc-breaking-change-torch-load-is-being-flipped-to-use-weights-only-true-by-default-in-the-nightlies-after-137602/2573

[russellb]

This seems reasonable. FYI this will become the default behavior in upcoming torch 2.6 https://dev-discuss.pytorch.org/t/bc-breaking-change-torch-load-is-being-flipped-to-use-weights-only-true-by-default-in-the-nightlies-after-137602/2573

Yeah, I was looking at that earlier and hoping it had already made it out into a release.

pytorch/pytorch@ca43ecd

[andy-neuma]

cool