Inferensys

Glossary

Deserialization Attack

An exploit that injects malicious code into a serialized model object, which executes when the AI model file is loaded.
MLOps engineer reviewing model serving infrastructure on laptop, container orchestration visible, technical workspace.
AI SECURITY VULNERABILITY

What is Deserialization Attack?

A deserialization attack is a critical software exploit where an attacker injects malicious code into a serialized object, which is then executed when the application reconstructs the object from its byte stream.

A deserialization attack exploits the process of converting a formatted byte stream back into a live object. In the context of AI, attackers tamper with serialized model files—such as pickle files in Python—to embed arbitrary code. When the model is loaded via a framework like PyTorch or TensorFlow, the malicious payload executes with the privileges of the loading process, enabling remote code execution.

This vulnerability is a critical AI supply chain risk. A compromised model file can bypass traditional security scans because the payload is inert until deserialization. Mitigations include using safer serialization formats like Safetensors or ONNX, loading models in sandboxed execution environments, and cryptographically verifying model provenance before deserialization.

DESERIALIZATION ATTACK

Key Characteristics

A deserialization attack exploits the process of reconstructing a serialized object to inject malicious code, which executes when an AI model file is loaded.

01

Mechanism of Exploitation

The attack targets the deserialization process, where a byte stream is converted back into a live object. Attackers embed a malicious payload within the serialized data. When the AI framework (like PyTorch or TensorFlow) loads the model, the deserialization routine triggers arbitrary code execution, bypassing standard security controls. This is particularly dangerous because model files are often treated as inert data.

02

Common Attack Vectors

  • Pickle Injection: The Python pickle module, widely used in PyTorch, can execute arbitrary code during unpickling.
  • Keras Lambda Layers: Custom layers in HDF5 files can embed arbitrary functions that execute on load.
  • ONNX Custom Ops: Malicious operators in ONNX graphs can trigger unsafe code execution.
  • Java Deserialization: In Java-based ML serving systems, manipulating serialized Java objects can lead to remote code execution.
03

Impact on AI Systems

A successful deserialization attack grants the adversary full remote code execution on the inference server. This can lead to:

  • Model Theft: Exfiltration of proprietary model weights.
  • Data Breach: Access to sensitive training data or user inputs.
  • Supply Chain Compromise: A backdoored model distributed via a public hub like Hugging Face can infect downstream consumer systems.
  • System Takeover: Lateral movement within the enterprise network.
04

Mitigation Strategies

  • Safetensors Adoption: Use the safetensors format instead of pickle; it is a pure data format with no code execution capability.
  • Sandboxed Loading: Deserialize models in an isolated, air-gapped environment or a Trusted Execution Environment (TEE).
  • Model Scanning: Scan all third-party models for malicious serialized objects before loading.
  • Restrict Deserialization: Use safe, allow-listed deserializers that reject arbitrary object types.
05

Relationship to Model Provenance

Deserialization attacks are a direct threat to Model Provenance and the Algorithmic Supply Chain. Without a verifiable AI Bill of Materials (AIBOM) and strict Vendor Due Diligence, a compromised model can easily masquerade as a legitimate artifact. This attack vector underscores why Model Risk Tiering must include checks for unsafe serialization formats.

DESERIALIZATION ATTACKS

Frequently Asked Questions

Clear, technical answers to the most common questions about deserialization vulnerabilities in AI and machine learning pipelines, covering mechanisms, risks, and mitigation strategies.

A deserialization attack is an exploit that injects malicious code into a serialized model object, which executes when the AI model file is loaded by an application. In the context of machine learning, this attack targets the common practice of saving trained models to disk using formats like Pickle (Python) , Keras H5, or ONNX and later reconstructing them for inference. The vulnerability arises because many serialization protocols reconstruct objects by executing arbitrary code during the deserialization process. An attacker who can modify a serialized model file—whether through a compromised model registry, a man-in-the-middle attack on a download, or a poisoned open-source repository—can embed a payload that executes system commands, exfiltrates data, or establishes a reverse shell the moment model.load() is called. This makes deserialization attacks a critical AI supply chain security concern, as the malicious code runs with the privileges of the loading process, often in production environments with access to sensitive data and internal networks.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.