Hugging Face, EleutherAI, and Stability AI have announced the successful completion of an external security audit of the safetensors library, clearing the way for it to become the default format for saving machine learning models.
The audit, conducted by Trail of Bits, found no critical flaws that could lead to arbitrary code execution. Some minor issues were identified and fixed, including imprecisions in the spec format and missing validation that allowed polyglot files. The audit team also suggested improvements to the test suite, which have been implemented.
What is safetensors?
Safetensors is a library for saving and loading tensors across frameworks like PyTorch, TensorFlow, JAX, PaddlePaddle, and NumPy. Unlike PyTorch's default pickle-based serialization, safetensors does not allow arbitrary code execution during model loading, making it inherently safer.
import torch
from safetensors.torch import load_file, save_file
weights = {"embeddings": torch.zeros((10, 100))}
save_file(weights, "model.safetensors")
weights2 = load_file("model.safetensors")
In addition to safety, safetensors supports lazy loading—loading only parts of a tensor—which is crucial for efficiently serving large language models. It also achieves significantly faster load times, up to 100x faster on CPU, and works seamlessly across frameworks.
Why a new format?
PyTorch relies on Python's pickle module, which is notoriously vulnerable. A malicious pickle file can execute arbitrary commands, giving attackers full control over a user's machine. This threat is well-known in cybersecurity but often overlooked in the ML community. As the Hugging Face Hub allows anyone to upload models, ensuring safe loading is critical.
Existing formats didn't meet all the requirements: safety, speed, lazy loading, and framework agnosticism. Safetensors fills this gap.
The audit results
The audit confirmed no critical security vulnerabilities. Written in Rust, the library benefits from the language's memory safety guarantees. While no system can be proven perfectly secure, this audit provides strong reassurance that safetensors is safe for production use.
The full report is publicly available on Hugging Face's dataset repository.
Next steps
Hugging Face, EleutherAI, and Stability AI plan to transition to safetensors as the default format. EleutherAI has already added safetensors support to its LM Evaluation Harness and is working on integrating it with GPT-NeoX.
Within the Transformers library, safetensors will soon be installed by default. After a period of testing and feedback—expected in a few months—saving models in safetensors will become the default. The library is also approaching a 1.0 release.
Safetensors is already in use by platforms like Civitai, Stable Diffusion Web UI, dfdx, and LLaMA.cpp. With this audit, the team is confident that safetensors represents a major step toward safer and more efficient machine learning.