PyTorch's `torch.load()` function now natively supports the Safetensors format, improving security and interoperability for AI model weights. This change streamlines workflows.
PyTorch has updated its core framework to natively support loading Safetensors files directly through the torch.load() function, as of . This enhancement streamlines the process of integrating models stored in the Safetensors format, which is known for its security benefits and improved interoperability compared to PyTorch’s traditional pickle-based serialization. For operators, this means a more secure and potentially faster workflow when handling model weights, especially for large language models and other complex AI architectures.
What changed
Previously, loading a Safetensors file into a PyTorch application typically required using a separate library or a more complex serialization/deserialization process. The recent update, detailed in a PyTorch GitHub commit, introduces direct support within torch.load(). Now, calling torch.load("foo.safetensors") will return a tensordict serialized as Safetensors, according to the release notes. This change was largely “Claude coded,” indicating the use of AI assistance in its development.
The Safetensors format itself is designed for storing tensors securely, quickly, and with cross-language and cross-framework compatibility. Its primary advantage is security, as it prevents arbitrary code execution during loading, a known vulnerability with PyTorch’s default torch.load() when handling untrusted files. For instance, PyTorch 2.2.2 had a security vulnerability (CVE-2025-32434) in torch.load(), which applications mitigated by specifically using the Safetensors format for model loading.
Why it matters for operators
For engineers, founders, and consultants working with AI models, this native integration is a significant quality-of-life improvement with tangible security and operational benefits. The immediate implication is a simplified and more secure pipeline for deploying and sharing models. No longer will operators need to implement workarounds or rely on external libraries to safely load .safetensors files, reducing boilerplate code and potential points of failure. This is particularly critical in environments where models are sourced from various origins, such as open-source communities or third-party providers, where the risk of malicious payload injection via pickle serialization is a genuine concern.
Furthermore, the inherent speed and simplicity of Safetensors, as highlighted by its creators, translate directly into faster model loading times. While PyTorch has not released specific benchmarks for this native integration, the design principles of Safetensors promise efficiency. For operators managing large-scale deployments or those iterating rapidly on model architectures, even marginal gains in loading speed can accumulate into substantial time savings. This move by PyTorch signals a strong commitment to adopting industry best practices for model serialization, which operators should leverage by standardizing on Safetensors for their own model distribution and archival. We expect to see a reduction in security incidents related to model loading, provided operators update their PyTorch versions and adopt the Safetensors format more broadly.
How to try it today
To utilize this new functionality, operators need to update their PyTorch installation to the version released on or after . Once updated, loading a Safetensors file is as straightforward as using the standard torch.load() function:
import torch
# Assuming 'my_model_weights.safetensors' is a Safetensors file
model_state_dict = torch.load("my_model_weights.safetensors")
# You can then load this state_dict into your model
# model = MyModel()
# model.load_state_dict(model_state_dict)
This direct integration removes the need for external Safetensors libraries or manual parsing, simplifying development and deployment workflows.
Risks and open questions
- Backward Compatibility: While the new functionality adds Safetensors support, operators should verify if existing workflows that explicitly used other Safetensors loading mechanisms will be affected or if the native
torch.load()will supersede them seamlessly. - Performance Benchmarks: Specific performance comparisons between native
torch.load()for Safetensors and previous methods (or even pickle for simple cases) have not been detailed. Operators with highly performance-sensitive applications may need to conduct their own benchmarks. - Full Feature Parity: It’s important to confirm if the native integration supports all advanced features or metadata that might be embedded in Safetensors files by third-party tools, or if it primarily focuses on tensor data.
Sources
- PyTorch GitHub: trunk/5d300e84867a7170de93d4153912b347eedf931c: Make it possible to load safetensors with torch.load (#170592) — https://github.com/pytorch/pytorch/releases/tag/trunk%2F5d300e84867a7170de93d4153912b347eedf931c
- Safetensors File Format — https://cran.r-project.org/web/packages/safetensors/index.html
- GitHub – aahepburn/RAG-Assistant-for-Zotero: An open‑source desktop RAG application that enables semantic search across your Zotero library. — https://github.com/aahepburn/RAG-Assistant-for-Zotero
