Safetensors

Safetensors is a secure, fast file format for storing machine learning model weights, designed by Hugging Face to replace the unsafe pickle format. It prevents arbitrary code execution during deserialization by only allowing numerical tensor data. Safetensors ensures rapid loading with near zero-copy reads, enhancing portability across PyTorch, TensorFlow, Flax, and other frameworks.

Key features of Safetensors include:

• No code execution risk. The format is based on a simple JSON header and raw data buffers, with no executable content. Loading a Safetensors file cannot run arbitrary code on your machine.
• DOS protection. A built-in 100 MB header size limit prevents malformed files from exhausting memory during parsing.
• Zero-copy and lazy loading. Tensors can be mapped directly from disk into memory without unnecessary copies, and individual tensors can be loaded on demand without deserializing the full file.
• Faster multi-GPU loading. The format’s design enables significant speedups when loading large models across multiple GPUs or nodes.
• Cross-language compatibility. Safetensors is implemented in Rust with bindings for Python, enabling use across a broad range of frameworks and toolchains.
• Apache 2.0 licensed. Permissively licensed for use in both research and production environments.

Safetensors was contributed by Hugging Face to the Linux Foundation in March 2026.