A deserialization attack exploits the process of converting a formatted byte stream back into a live object. In the context of AI, attackers tamper with serialized model files—such as pickle files in Python—to embed arbitrary code. When the model is loaded via a framework like PyTorch or TensorFlow, the malicious payload executes with the privileges of the loading process, enabling remote code execution.
Glossary
Deserialization Attack

What is Deserialization Attack?
A deserialization attack is a critical software exploit where an attacker injects malicious code into a serialized object, which is then executed when the application reconstructs the object from its byte stream.
This vulnerability is a critical AI supply chain risk. A compromised model file can bypass traditional security scans because the payload is inert until deserialization. Mitigations include using safer serialization formats like Safetensors or ONNX, loading models in sandboxed execution environments, and cryptographically verifying model provenance before deserialization.
Key Characteristics
A deserialization attack exploits the process of reconstructing a serialized object to inject malicious code, which executes when an AI model file is loaded.
Mechanism of Exploitation
The attack targets the deserialization process, where a byte stream is converted back into a live object. Attackers embed a malicious payload within the serialized data. When the AI framework (like PyTorch or TensorFlow) loads the model, the deserialization routine triggers arbitrary code execution, bypassing standard security controls. This is particularly dangerous because model files are often treated as inert data.
Common Attack Vectors
- Pickle Injection: The Python
picklemodule, widely used in PyTorch, can execute arbitrary code during unpickling. - Keras Lambda Layers: Custom layers in HDF5 files can embed arbitrary functions that execute on load.
- ONNX Custom Ops: Malicious operators in ONNX graphs can trigger unsafe code execution.
- Java Deserialization: In Java-based ML serving systems, manipulating serialized Java objects can lead to remote code execution.
Impact on AI Systems
A successful deserialization attack grants the adversary full remote code execution on the inference server. This can lead to:
- Model Theft: Exfiltration of proprietary model weights.
- Data Breach: Access to sensitive training data or user inputs.
- Supply Chain Compromise: A backdoored model distributed via a public hub like Hugging Face can infect downstream consumer systems.
- System Takeover: Lateral movement within the enterprise network.
Mitigation Strategies
- Safetensors Adoption: Use the
safetensorsformat instead ofpickle; it is a pure data format with no code execution capability. - Sandboxed Loading: Deserialize models in an isolated, air-gapped environment or a Trusted Execution Environment (TEE).
- Model Scanning: Scan all third-party models for malicious serialized objects before loading.
- Restrict Deserialization: Use safe, allow-listed deserializers that reject arbitrary object types.
Relationship to Model Provenance
Deserialization attacks are a direct threat to Model Provenance and the Algorithmic Supply Chain. Without a verifiable AI Bill of Materials (AIBOM) and strict Vendor Due Diligence, a compromised model can easily masquerade as a legitimate artifact. This attack vector underscores why Model Risk Tiering must include checks for unsafe serialization formats.
Frequently Asked Questions
Clear, technical answers to the most common questions about deserialization vulnerabilities in AI and machine learning pipelines, covering mechanisms, risks, and mitigation strategies.
A deserialization attack is an exploit that injects malicious code into a serialized model object, which executes when the AI model file is loaded by an application. In the context of machine learning, this attack targets the common practice of saving trained models to disk using formats like Pickle (Python) , Keras H5, or ONNX and later reconstructing them for inference. The vulnerability arises because many serialization protocols reconstruct objects by executing arbitrary code during the deserialization process. An attacker who can modify a serialized model file—whether through a compromised model registry, a man-in-the-middle attack on a download, or a poisoned open-source repository—can embed a payload that executes system commands, exfiltrates data, or establishes a reverse shell the moment model.load() is called. This makes deserialization attacks a critical AI supply chain security concern, as the malicious code runs with the privileges of the loading process, often in production environments with access to sensitive data and internal networks.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Core concepts for understanding and mitigating the execution of malicious code embedded within serialized AI model objects.
Serialization & Deserialization
The fundamental process exploited in this attack. Serialization converts a complex object (like a model graph) into a byte stream for storage or transfer. Deserialization reconstructs the object from that stream. The vulnerability arises because the reconstruction process can trigger the execution of attacker-controlled code embedded in the stream, often through native __reduce__ (Python) or readObject (Java) methods.
Gadget Chain Exploitation
Attackers rarely inject fully custom code directly. Instead, they craft a sequence of existing, benign classes within the application's libraries—called a gadget chain—that, when deserialized in a specific order, performs a malicious action. This is akin to ROP (Return-Oriented Programming) in memory exploits. A single vulnerable library in the AI serving stack is sufficient to provide the necessary gadgets.
Safe Deserialization Formats
The primary defense is to avoid native, object-graph deserialization of untrusted data entirely. Use purely data-centric formats that do not reconstruct arbitrary types:
- JSON/BSON: Parses only primitive data structures.
- Protobuf/Avro: Schema-defined, code-generated formats.
- ONNX: An interchange format for models that represents a static computation graph, not executable objects.
- Safetensors: A format specifically designed for safe, lazy tensor loading without code execution.
Model File Integrity Verification
Before loading any model artifact, verify its provenance and integrity using cryptographic signatures. A typical workflow:
- The model creator generates a cryptographic hash (e.g., SHA-256) of the serialized file.
- The hash is signed with the creator's private key.
- The loading system verifies the signature against a trusted public key before deserialization.
- This prevents the execution of a model that has been tampered with in transit or at rest.
Sandboxed Model Loading
Execute the deserialization and model loading process within a heavily restricted, ephemeral environment. This limits the blast radius of a successful attack:
- gVisor/Firecracker: Use micro-VMs for strong, hardware-backed isolation.
- gRPC Sandboxing: Load the model in a separate, sandboxed server process with no network access.
- Seccomp/AppArmor: Apply strict kernel-level system call filters to the loading process.
- Capability Dropping: Run the loader with the absolute minimum Linux capabilities (e.g.,
CAP_SYS_ADMINdropped).
Pickle-Specific Defenses
Python's pickle module is the most common vector for ML deserialization attacks. Defensive measures include:
- Absolute Prohibition: Never use
pickle.load()on untrusted data. pickletools.dis(): A static analysis tool to inspect a pickle stream's opcodes before execution, looking for suspiciousREDUCEorGLOBALinstructions.- Restricted Unpicklers: Custom
Unpicklersubclasses that overridefind_classto only allow a strict allowlist of safe, primitive modules (e.g.,builtins,numpy).

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us