llama-index-embeddings-adapter: torch.load() without weights_only=True allows pickle deserialization

[ryosuke-tokushima]

Issue Title

llama-index-embeddings-adapter: torch.load() without weights_only=True allows arbitrary code execution via pickle

Summary

BaseAdapter.load() in llama-index-embeddings-adapter calls torch.load() without weights_only=True. Since PyTorch 1.13+, omitting this parameter is deprecated and triggers a FutureWarning; in future PyTorch versions it will default to True. More importantly, loading an untrusted .bin file with the current code allows arbitrary code execution via Python's pickle deserialization.

Affected File

llama-index-integrations/embeddings/llama-index-embeddings-adapter/llama_index/embeddings/adapter/utils.py
(confirmed on llama-index-core==0.14.21, commit a3aeb31)

Vulnerable Code

@classmethod
def load(cls, input_path: str) -> "BaseAdapter":
    """Load model."""
    with open(os.path.join(input_path, "config.json")) as fIn:
        config = json.load(fIn)
    model = cls(**config)
    model.load_state_dict(
        torch.load(                                      # ← no weights_only=True
            os.path.join(input_path, "pytorch_model.bin"),
            map_location=torch.device("cpu"),
        )
    )
    return model

input_path is passed directly from the caller (AdapterEmbeddingModel.__init__ via adapter_path argument), making it user-controlled.

Attack Scenario

1. Attacker publishes a HuggingFace Hub repository containing a malicious pytorch_model.bin (a pickled object with __reduce__ that executes a shell command).
2. A user who fine-tuned an adapter model downloads it and loads it via AdapterEmbeddingModel(adapter_path="attacker/malicious-adapter", ...).
3. torch.load("pytorch_model.bin") deserializes the pickle payload → arbitrary code execution on the user's machine.

Impact

Arbitrary code execution at model-load time for any user who loads an adapter from an untrusted path.

Suggested Fix

model.load_state_dict(
    torch.load(
        os.path.join(input_path, "pytorch_model.bin"),
        map_location=torch.device("cpu"),
        weights_only=True,   # ← safe: only loads tensor weights, no pickle execution
    )
)

If the adapter structure requires non-tensor objects that weights_only=True cannot handle, consider using safetensors format instead:

from safetensors.torch import load_file
state_dict = load_file(os.path.join(input_path, "model.safetensors"))
model.load_state_dict(state_dict)

Reference

• PyTorch Security: Unsafe deserialization with torch.load
• CVE-2025-32434 — related torch.load deserialization issue

Discovery

Found via static analysis of the llama_index codebase.

[dosubot]

Hi @ryosuke-tokushima! I'm Dosu and I’m helping the llama_index team.

Good catch — I can confirm the vulnerability. The torch.load() call in BaseAdapter.load() at utils.py does not pass weights_only=True:

model.load_state_dict(
    torch.load(
        os.path.join(input_path, "pytorch_model.bin"),
        map_location=torch.device("cpu"),
    )
)

This is the only torch.load() call in the LlamaIndex codebase [1]. The fix you suggested — adding weights_only=True — is straightforward and should work here since load_state_dict only expects a dict of tensors. Worth noting that the repo has previously addressed pickle deserialization issues elsewhere (e.g., PR #20857 added a RestrictedUnpickler), so this pattern is consistent with ongoing security hardening.

To reply, just mention @dosu.

---

Share context across your team and agents. Try Dosu.

[ShubhamGond105]

Hi 👋

I'd like to work on this fix.
The change is straightforward — adding weights_only=True
to the torch.load() call.

Could I submit a PR for this?

[ryosuke-tokushima]

Hi there. Okay,Please submit this issue PR. Thank you for your sharing and confirmation. 2026年4月25日(土) 2:54 Shubham Gond ***@***.***>:

…

*ShubhamGond105* left a comment (run-llama/llama_index#21465) <#21465 (comment)> Hi 👋 I'd like to work on this fix. The change is straightforward — adding weights_only=True to the torch.load() call. Could I submit a PR for this? — Reply to this email directly, view it on GitHub <#21465 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AZCLOTVUX6M653CTI5QLTZD4XOS7FAVCNFSM6AAAAACYFMPPQCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHM2DGMJVGIZTCMRRGI> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[ShubhamGond105]

Hi @ryosuke-tokushima

Could you please review this PR.

This fixes a security vulnerability where torch.load() was called without weights_only=True in BaseAdapter.load(),
which allows arbitrary code execution via pickle deserialization.

Changes:

Added weights_only=True to torch.load() in utils.py
Added unit test to prevent regression
Both tests pass locally ✅

Thank you!