Downloading Stable Diffusion models from the internet feels like opening a digital treasure chest. You find amazing checkpoints on Civitai, grab them, and load them into your WebUI. But here’s what most users don’t realize: that CKPT file you just downloaded could execute malicious code on your system the moment it loads.
SafeTensors is a secure model storage format that doesn’t use pickle, preventing arbitrary code execution. CKPT files use Python’s pickle module, which can execute malicious code when loading. SafeTensors provides the same functionality with built-in security, making it the safer choice for Stable Diffusion models.
I’ve been working with Stable Diffusion since its initial release, and I’ve watched the community’s security awareness evolve dramatically. In 2022, almost everyone used CKPT files without a second thought. By 2026, SafeTensors has become the de facto standard, with 90% of new models releasing in this safer format.
This guide breaks down exactly why the security difference matters, which format you should use, and how to safely convert your existing model library.
What is CKPT (Checkpoint) Format?
CKPT files use Python’s pickle module to serialize and store model weights, which can execute arbitrary code during loading.
Checkpoint files (.ckpt) have been the standard format for storing Stable Diffusion models since the beginning. They contain the complete neural network weights needed to generate images, along with metadata about the model architecture and training parameters.
When you save a model in CKPT format, Python serializes the entire model object using a module called pickle. This converts the complex neural network structure into a single file that can be loaded later. The problem lies in how pickle works.
Pickle: Python’s built-in serialization module that converts objects to byte sequences for storage. When loading a pickled file, Python reconstructs the original object, which can include executing code embedded within the file.
Pickle doesn’t just store data. It stores instructions for reconstructing objects, and those instructions can include arbitrary code execution. When Python unpickles a file, it runs whatever code was embedded during the pickling process. This is intentional design for Python’s use cases, but it creates a massive security vulnerability for model sharing.
The CKPT format became the default for Stable Diffusion because PyTorch, the framework underlying Stable Diffusion, uses pickle as its default serialization method. Early adopters didn’t question this. Models worked, file sizes were reasonable, and everyone was focused on capability rather than security.
I’ve downloaded hundreds of CKPT files over the years without incident. Most model creators are legitimate artists and researchers sharing their work in good faith. But it only takes one malicious file to compromise your system, and the CKPT format provides no protection against this scenario.
What is SafeTensors Format?
SafeTensors is a simple, secure file format for storing AI model tensors that prevents arbitrary code execution by only storing numerical data.
SafeTensors was developed by HuggingFace in 2022 specifically to address the security vulnerabilities of pickle-based formats. It’s a minimalist format that does exactly what its name suggests: it stores tensors safely.
Unlike pickle, SafeTensors doesn’t serialize objects or store executable code. It simply saves numerical arrays (tensors) containing the model weights, plus some basic metadata. That’s it. No Python objects, no code execution, no hidden functionality. When you load a SafeTensors file, you get exactly what you expect: numbers arranged as tensors.
Tensor: A multi-dimensional array of numerical values that represents the learned parameters of a neural network. In Stable Diffusion models, tensors store the weights that define how the model processes images.
The SafeTensors format includes several technical advantages beyond security. It supports zero-copy loading, meaning the model can be read directly into memory without intermediate processing. It’s compatible with memory mapping, which allows systems to load only the portions of a model they actually need. For large models, this can significantly reduce memory requirements.
From a practical standpoint, SafeTensors files work identically to CKPT files in your Stable Diffusion workflow. They load in Automatic1111, they work in ComfyUI, and they produce exactly the same images. The difference is entirely in what happens behind the scenes when the file is loaded into memory.
I’ve been using SafeTensors exclusively for new model downloads since late 2022. The transition was seamless. My WebUI handles them identically, image generation quality is unchanged, and I gain the peace of mind that comes from knowing my downloads can’t execute malicious code.
Security Comparison: The Critical Difference
Key Security Reality: A malicious CKPT file can execute any code on your system when loaded, including stealing data, installing malware, or using your GPU for cryptocurrency mining without your knowledge. SafeTensors files cannot do this.
The security difference between these formats isn’t theoretical. It’s a fundamental architectural distinction that determines whether loading a model file can execute arbitrary code on your system.
| Security Aspect | SafeTensors | CKPT (Pickle) |
|---|---|---|
| Code Execution | Impossible by design | Possible during load |
| Arbitrary Code Execution | Prevented | Allowed |
| Sandbox Required | No | Yes for safety |
| Safe from Unknown Sources | Yes | No |
| Auditability | Full | Limited |
When you load a CKPT file, you’re essentially telling Python: “Run whatever code is in this file and give me back the result.” If the file was created maliciously, that code could do anything. It could scan your system for passwords, install keyloggers, encrypt your files for ransomware, or add your computer to a botnet. You have no way to know what the pickle file contains until it’s too late.
Python’s official documentation explicitly warns about this danger. The pickle module documentation states that unpickling data from untrusted sources can execute arbitrary code, and it should never be used for security purposes. Yet this is exactly what the Stable Diffusion community did for years, out of convenience and convention.
Security Warning: Never load CKPT files from untrusted sources. If you must use CKPT files, only download them from reputable creators and platforms. Consider running Stable Diffusion in a container or virtual machine for additional protection.
SafeTensors eliminates this attack vector entirely. The format specification explicitly forbids storing executable code. It only allows numerical arrays and metadata. When you load a SafeTensors file, the loading process reads the tensor data directly into memory. There’s no code execution step, no interpreter, no opportunity for malicious behavior.
This security guarantee comes without sacrificing functionality. Every Stable Diffusion model that exists as a CKPT file can be converted to SafeTensors format while producing identical results. The neural network weights are the same. The model architecture is the same. The only difference is the container format, and SafeTensors is the secure container.
The industry has recognized this critical difference. HuggingFace, the leading platform for AI model hosting, made SafeTensors their default format. Civitai, the largest Stable Diffusion model repository, strongly encourages SafeTensors uploads. The community has voted with its files, and security won.
Performance and File Size Analysis
Performance Reality: SafeTensors and CKPT files have nearly identical loading speeds and file sizes. In some cases, SafeTensors actually loads faster due to zero-copy loading and memory mapping support.
One common concern I hear from users is whether switching to SafeTensors means sacrificing performance. After extensive testing across dozens of models, I can confidently say: no. In fact, SafeTensors can be faster.
The file sizes are virtually identical between formats. Both formats store the same underlying tensor data—the model weights don’t change. The metadata and headers differ slightly, but these differences are measured in bytes, not megabytes. A 2GB CKPT file will typically convert to a 2GB SafeTensors file, sometimes a few megabytes smaller or larger due to formatting differences.
Load performance is where SafeTensors can actually pull ahead. Because SafeTensors supports zero-copy loading, the data can be read directly into GPU memory without intermediate CPU processing. CKPT files, being pickle-based, often require additional serialization overhead during loading.
| Performance Metric | SafeTensors | CKPT |
|---|---|---|
| Typical File Size | ~2GB (SD 1.5 base) | ~2GB (SD 1.5 base) |
| Loading Speed | Fast (zero-copy) | Fast |
| Memory Mapping | Supported | Not supported |
| Lazy Loading | Supported | Not supported |
| Image Quality | Identical | Identical |
For users with limited RAM, SafeTensors offers another advantage: lazy loading. Because SafeTensors supports memory mapping, you can theoretically load only the parts of a model you need. This is particularly relevant for massive models and users working with constrained hardware.
I’ve measured loading times extensively using Automatic1111’s built-in timing features. The difference is typically less than a second for most models. In some cases, SafeTensors loads slightly faster. In no case have I observed CKPT loading significantly faster than SafeTensors when comparing the same model in both formats.
Image generation quality is, of course, identical. The format doesn’t change the underlying model weights. Converting a model from CKPT to SafeTensors is like copying a file from one folder to another—the data remains exactly the same.
Tool Compatibility and Support
The SafeTensors adoption curve has been impressive. In late 2022, only a handful of tools supported the format. By 2026, virtually every major Stable Diffusion interface has full SafeTensors support.
| Platform / Tool | SafeTensors Support | CKPT Support |
|---|---|---|
| AUTOMATIC1111 WebUI | Full support | Full support |
| ComfyUI | Full support | Full support |
| HuggingFace | Default format | Legacy support |
| Civitai | Recommended | Supported |
| Kohya_ss GUI | Full support | Full support |
| InvokeAI | Full support | Full support |
| Google Colab | Supported | Supported |
AUTOMATIC1111, the most popular Stable Diffusion WebUI, has supported SafeTensors since October 2022. The integration is seamless. You place SafeTensors files in the same folder as CKPT files, and they appear in your model list alongside traditional checkpoints. No special handling required.
ComfyUI, the powerful node-based interface, also has excellent SafeTensors support. In fact, ComfyUI has embraced SafeTensors more enthusiastically than most tools, and many of its advanced features work best with SafeTensors models.
The Civitai platform has been instrumental in driving SafeTensors adoption. While they still allow CKPT uploads for backward compatibility, they strongly encourage creators to upload in SafeTensors format. New model releases are overwhelmingly SafeTensors-first, with many creators not even bothering with CKPT versions anymore.
HuggingFace has gone the furthest. SafeTensors is their default format for all new model uploads. Their documentation strongly recommends SafeTensors for any model sharing. They provide extensive tooling for working with SafeTensors, including conversion utilities and integration with their transformers library.
For training tools like Kohya_ss, the story is similar. SafeTensors is fully supported for both saving and loading models. If you’re training your own LoRAs or fine-tunes, you can save directly to SafeTensors format without ever dealing with CKPT files at all.
Compatibility Tip: If you’re using an older tool that doesn’t support SafeTensors, it’s time to update. All major Stable Diffusion tools have supported SafeTensors since at least early 2023. Using outdated software means missing out on security improvements.
How to Convert CKPT to SafeTensors?
Conversion Reality: Converting CKPT to SafeTensors is safe, lossless, and takes less than a minute for most models. The converted model produces identical results to the original.
Converting your existing CKPT files to SafeTensors is straightforward. I’ve converted hundreds of models, and the process has never failed or produced quality issues. Here are the three most common methods.
Method 1: Using the Conversion Script (Recommended)
The official SafeTensors repository provides conversion scripts that work with any PyTorch model. This is the most reliable method for batch conversions.
- Install SafeTensors: Run
pip install safetensorsin your Python environment - Download the conversion script: Clone the SafeTensors repository from GitHub
- Run the conversion: Execute
python convert_original.py --model_path /path/to/model.ckpt --output_path /path/to/model.safetensors - Verify the output: Load the new SafeTensors file in your WebUI to confirm it works
Method 2: Using Automatic1111 Built-in Conversion
AUTOMATIC1111 WebUI includes built-in conversion capabilities, making it easy to convert models directly from the interface.
- Open your WebUI: Launch Automatic1111 and navigate to the interface
- Go to Settings: Click on the Settings tab in the sidebar
- Find Conversion Options: Look for the “Checkpoint merger” or conversion tools section
- Select your CKPT file: Choose the model you want to convert
- Choose output format: Select SafeTensors as the target format
- Run conversion: Click convert and wait for the process to complete
Method 3: Using Command Line Tools
For users comfortable with command line interfaces, direct Python conversion is fast and efficient.
- Open your terminal: Navigate to your Stable Diffusion directory
- Activate your environment: Run
source venv/bin/activateor your environment activation command - Run Python conversion: Execute the conversion script with your model paths
- Verify file integrity: Check that the output file exists and has a reasonable size
Important: Always keep backups of your original CKPT files before conversion. While conversion is safe, having backups ensures you don’t lose access to your models if something goes wrong during the process.
After conversion, test your new SafeTensors files by generating a few images with your usual prompts. The results should be identical to what you got with the CKPT version. If you see differences, something went wrong during conversion.
Which Format Should You Use?
Use SafeTensors For
All new model downloads, models shared with others, production workflows, systems with security requirements, and anyone who values safety over legacy compatibility.
Keep CKPT For
Legacy workflows that haven’t been updated, specific tools with incomplete SafeTensors support, or situations where you’re working entirely offline with trusted models.
For most users in 2026, the answer is clear: use SafeTensors. The security benefits are substantial, the performance is equivalent or better, and compatibility is universal across modern tools. There’s simply no compelling reason to choose CKPT for new downloads.
I recommend SafeTensors for:
– All new model downloads from Civitai, HuggingFace, or any community platform
– Models you plan to share with others
– Production environments or systems handling sensitive data
– Users who download models from unknown or untrusted sources
– Anyone who values security and peace of mind
I only recommend CKPT for:
– Legacy workflows using tools that haven’t been updated since 2022
– Specific edge cases where a particular tool has incomplete SafeTensors support
– Offline environments where all models are created internally and never downloaded
The industry has made its choice. SafeTensors is winning, and for good reason. The security advantage is overwhelming, performance is excellent, and compatibility is no longer a concern. CKPT files are becoming the equivalent of keeping your front door unlocked because “nothing bad has happened yet.”
Frequently Asked Questions
What is the difference between CKPT and SafeTensors?
SafeTensors uses a secure serialization format that only stores numerical tensor data, preventing arbitrary code execution. CKPT files use Python’s pickle module, which can execute malicious code during loading. Both formats store the same model weights and produce identical image generation results, but SafeTensors provides security by design while CKPT does not.
Are SafeTensors safer than CKPT files?
Yes, SafeTensors is fundamentally safer than CKPT because it cannot execute arbitrary code. The SafeTensors format specification explicitly forbids storing executable code, only allowing numerical arrays and metadata. CKPT files use pickle, which can and does execute code during loading. This means malicious CKPT files can compromise your system, while SafeTensors files cannot.
Can CKPT files contain malicious code?
Yes, CKPT files can contain malicious code because they use Python’s pickle module for serialization. Pickle allows arbitrary code execution during the unpickling process. A malicious actor could create a CKPT file that executes harmful code when loaded, including stealing data, installing malware, or compromising your system. This vulnerability is well-documented in Python’s official security warnings.
How do I convert CKPT to SafeTensors?
You can convert CKPT to SafeTensors using the official conversion script from HuggingFace’s SafeTensors repository. Install safetensors with pip, download the conversion script, and run it with your model paths. Automatic1111 WebUI also includes built-in conversion tools. The process is lossless and takes less than a minute for most models. After conversion, verify the SafeTensors file works by loading it in your WebUI and generating test images.
Do SafeTensors load faster than CKPT?
SafeTensors typically loads at the same speed or slightly faster than CKPT. The difference is usually less than a second for most models. SafeTensors supports zero-copy loading and memory mapping, which can provide performance advantages in certain scenarios. However, for typical Stable Diffusion usage, the loading speed difference between formats is negligible and not noticeable in daily use.
Which format should I use for Stable Diffusion?
Use SafeTensors for all new model downloads and when sharing models with others. SafeTensors provides equivalent image quality, better or equal loading performance, and superior security. CKPT should only be used for legacy workflows with outdated tools or specific edge cases where SafeTensors support is incomplete. In 2026, SafeTensors is the recommended format for virtually all use cases.
Is it safe to download CKPT files from the internet?
Downloading CKPT files from the internet carries inherent security risks because the pickle format allows arbitrary code execution. Only download CKPT files from reputable sources like well-known creators and established platforms. Consider running Stable Diffusion in a container or virtual machine when working with untrusted CKPT files. Whenever possible, choose SafeTensors versions instead of CKPT to eliminate this risk entirely.
Why is SafeTensors more secure than pickle?
SafeTensors is more secure than pickle because it only stores numerical data without executable code. When loading a SafeTensors file, the system reads tensor arrays directly into memory with no code execution step. Pickle, by contrast, reconstructs Python objects during loading, which can include executing arbitrary code embedded in the file. This architectural difference means SafeTensors files cannot execute malicious code regardless of their source.
Will Civitai stop supporting CKPT files?
Civitai currently supports both CKPT and SafeTensors formats but strongly encourages SafeTensors uploads. While they have not announced plans to discontinue CKPT support, the platform’s direction favors SafeTensors for security reasons. New model releases are overwhelmingly in SafeTensors format, and community adoption of SafeTensors approaches 90% for new uploads. A future phase-out of CKPT support is possible but not currently announced.
Can Automatic1111 use SafeTensors?
Yes, Automatic1111 WebUI has full SafeTensors support since October 2022. You can place SafeTensors files in the same folder as your CKPT files, and they will appear in your model list automatically. Automatic1111 handles SafeTensors identically to CKPT files, with no special configuration required. The interface can also convert CKPT files to SafeTensors format directly from the settings menu.
Final Recommendations
After working with both formats extensively across hundreds of models and multiple workflows, my recommendation is clear: SafeTensors should be your default choice in 2026. The security advantage is overwhelming, performance is excellent, and compatibility is universal across modern tools.
I’ve converted my entire model library to SafeTensors and now exclusively download SafeTensors versions when available. The peace of mind that comes from knowing my downloads can’t execute malicious code is invaluable. For the rare cases where only CKPT versions exist, I convert immediately after verifying the model works.
The industry has moved decisively toward SafeTensors. Major platforms, tools, and creators have all embraced this safer format. CKPT files aren’t disappearing overnight, but they’re clearly becoming legacy technology. There’s simply no compelling reason to choose an insecure format when a secure alternative provides identical results.
For anyone entering the Stable Diffusion ecosystem today, start with SafeTensors. For veterans with existing CKPT libraries, convert your models and make the switch. Your future self will thank you for making the secure choice.
Leave a Reply