Infrastructure

Safetensors

2022ActivePublished: 20 March 2026Updated: 20 March 2026Published

Key innovation

Binary tensor serialization format using a JSON header and raw numeric data, with no executable-code deserialization, eliminating the arbitrary code execution risk inherent in pickle-based formats (e.g., PyTorch .pt/.bin) while supporting memory-mapped I/O and selective tensor loading.

How it works

Safetensors stores tensors in a simple binary format with a metadata header describing tensor names, data types, shapes, and offsets within the file. This allows the library to read file contents without executing any code embedded in the file. The format is designed to support fast data access and enables zero-copy or partial memory-mapping scenarios, depending on the framework and environment in use. Implementations exist for major ecosystems including PyTorch, TensorFlow, JAX, PaddlePaddle, and NumPy.

Problem solved

Safetensors addresses the unsafe deserialization of model weights in formats such as pickle and the associated security risks. Traditional checkpoint formats can execute arbitrary code during loading, which poses a threat when downloading models from external sources. Additionally, many legacy formats were not designed for fast, simple, and predictable large-scale tensor access. Safetensors mitigates these risks by providing a secure, straightforward, and efficient format for storing tensors.

Components

Header size fieldLocates the JSON header and validates file boundaries before parsing.

First 8 bytes of the safetensors file. Stores the JSON header size as a 64-bit unsigned integer (uint64) in little-endian byte order. Enables immediate location of the JSON header without parsing tensor data.

INRaw binary: 8 bytes at file offset 0.

OUTSize of the JSON header in bytes (N). Maximum enforced at 100 MB.

JSON HeaderStores tensor metadata (names, types, shapes, offsets), enabling selective loading without accessing raw data.

Variable-length UTF-8 JSON section immediately following the header size field. Contains a dictionary mapping tensor names to their dtype (e.g., F16, BF16, F32), shape (array of dimension integers), and data_offsets ([BEGIN, END] relative to the start of the data region). Optional __metadata__ key stores arbitrary string-to-string pairs. Size bounded to 100 MB by MAX_HEADER_SIZE.

Tensor data bufferStores raw tensor numerical data in a memory-mappable format.

Contiguous block of raw bytes storing all tensor data in C (row-major) order, without compression or padding between tensors. Offsets from the JSON header are relative to the start of this buffer (not the file start). Tensors must be packed before serialization — striding is not supported.

Implementation

Reference implementations

safetensors – official repository (Rust + Python bindings)

Rust, Python · Hugging Face (Nicolas Patry)

Official

safetensors – documentation and API reference (Hugging Face)

Python · Hugging Face

Official

Implementation pitfalls

Shared tensors (memory-sharing tensors) in PyTorchMedium

PyTorch allows tensors sharing the same memory storage. The safetensors PyTorch adapter includes special logic for detecting and handling shared tensors. Serializing models with shared tensors without this handling may lead to data duplication or errors. After deserialization, memory sharing is lost — each tensor is independent.

Fix:Use the official safetensors.torch adapter, which handles shared tensors. Verify model integrity after conversion from .pt to .safetensors by comparing parameters.

No compression – large file sizes for low-entropy modelsLow

Safetensors does not use compression. Tensor data is stored as raw bytes. For models with low entropy (e.g., highly sparse weights or quantized models with many zeros), file size may be significantly larger than with compressed serialization formats.

Fix:If file size is critical, consider filesystem-level compression or archives (e.g. .tar.zst). The safetensors format does not support built-in compression per its specification.

Duplicate JSON header keys – inconsistent results across parsersMedium

JSON specification does not formally define behavior for duplicate keys. The Trail of Bits audit found that the Hugging Face reference implementation rejects files with duplicate keys, but some third-party JSON parsers accept them with undefined behavior. A malicious file may thus behave differently across implementations.

Fix:Use only the official safetensors library for parsing. When implementing custom parsers, reject files with duplicate JSON keys during validation.

No built-in data integrity verification (checksum/hash)Low

The safetensors format does not include a built-in data integrity mechanism (e.g., SHA-256 hash of tensors). File corruption during transmission or storage may not be detected at load time — the format validates structure and offsets but not data checksums.

Fix:Use external integrity mechanisms (e.g., SHA-256 file hashes distributed alongside the model). Hugging Face Hub provides a file hash for every model file.

Evolution

2022

First public release of safetensors v0.0.1 (September 22, 2022, PyPI)

Inflection point

Nicolas Patry at Hugging Face published the first version of the safetensors library and format specification. Rust core, Python bindings via PyO3, PyTorch and NumPy support. Format designed as a secure and fast alternative to pickle.

2023

Trail of Bits security audit (May 2023) and adoption by Hugging Face Hub as the default format

Inflection point

Independent security audit by Trail of Bits, commissioned by Hugging Face, EleutherAI, and Stability AI. No critical vulnerabilities found. Hugging Face Hub adopted safetensors as preferred format, displaying warnings for pickle-format models.

2025

Integration of safetensors into PyTorch core as a native serialization option

Inflection point

PyTorch merged native safetensors support into its core serialization API (weights_only parameter and safetensors format option in the save API). This marks institutional endorsement by the leading deep learning framework, relegating pickle to legacy status.