PYSEC-2026-2477

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/flash-attn/PYSEC-2026-2477.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-2477
Aliases
Published
2026-07-13T15:15:45.233345Z
Modified
2026-07-13T16:31:40.152625318Z
Severity
  • 7.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
Summary
flash-attention contains an insecure deserialization vulnerability in its checkpoint loading mechanism
Details

The flash-attention training framework thru commit e724e2588cbe754beb97cf7c011b5e7e34119e62 (2025-13-04) contains an insecure deserialization vulnerability (CWE-502) in its checkpoint loading mechanism. The loadcheckpoint() function in checkpoint.py and the checkpoint loading code in eval.py use torch.load() without enabling the security-restrictive weightsonly=True parameter. This allows the deserialization of arbitrary Python objects via the pickle module. An attacker can exploit this by providing a maliciously crafted checkpoint file. When a victim loads this checkpoint during model warmstarting or evaluation, arbitrary code is executed on the victim's system.

References

Affected packages

PyPI / flash-attn

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
2.8.3

Affected versions

0.*
0.2.0
0.2.1
0.2.2
0.2.3
0.2.4
0.2.5
0.2.6.post1
0.2.7
0.2.8
1.*
1.0.0
1.0.1
1.0.2
1.0.3
1.0.3.post0
1.0.4
1.0.5
1.0.6
1.0.7
1.0.8
1.0.9
2.*
2.0.0.post1
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.6.post2
2.0.7
2.0.8
2.0.9
2.1.0
2.1.1
2.1.2.post3
2.2.0
2.2.1
2.2.2
2.2.3.post2
2.2.4
2.2.4.post1
2.2.5
2.3.0
2.3.1.post1
2.3.2
2.3.3
2.3.4
2.3.5
2.3.6
2.4.0.post1
2.4.1
2.4.2
2.4.3.post1
2.5.0
2.5.1.post1
2.5.2
2.5.3
2.5.4
2.5.5
2.5.6
2.5.7
2.5.8
2.5.9.post1
2.6.0.post1
2.6.1
2.6.2
2.6.3
2.7.0.post2
2.7.1.post4
2.7.2.post1
2.7.3
2.7.4.post1
2.8.0.post2
2.8.1
2.8.2
2.8.3

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/flash-attn/PYSEC-2026-2477.yaml"