File size: 1,899 Bytes
99bd1d1 | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 | ---
license: mit
language: en
tags:
- security
- vulnerability-research
- model-security
- poc
- multi-format
---
# Multi-Format Model Vulnerability & Scanner Bypass Suite
This repository contains a suite of Proof-of-Concept (PoC) model files demonstrating critical security vulnerabilities in modern AI model serialization formats. This research focuses on **Load-Time Arbitrary Code Execution (ACE)** and **Scanner Evasion** techniques.
## 🚀 Research Highlights
- **Scanner Bypass (Safetensors/ZIP Polyglot):** A novel technique that crafts a file valid as both Safetensors and ZIP, allowing malicious payloads to evade automated security scanners (e.g., ModelScan).
- **Multi-Format Coverage:** Demonstrates exploits in `.safetensors`, `.gguf`, `.keras`, and `.joblib`.
- **Memory Corruption:** Integer overflow and OOB read vulnerabilities in GGUF metadata parsing.
- **ACE via Deserialization:** Direct command execution during model loading in Joblib and Keras 3.
## 📂 Repository Structure
- `submission_poc.py`: Master reproduction script used to generate all artifacts.
- `poc_output/`: Contains the generated malicious model files and the detailed technical report.
- `vulnerability_report.md`: Comprehensive technical analysis, CVSS scoring, and reproduction steps.
- `polyglot_bypass.safetensors`: The scanner bypass PoC.
- `gguf_overflow.gguf`: Memory corruption PoC.
- `module_injection.keras`: Keras 3 ACE PoC.
- `malicious.joblib`: Joblib/Pickle ACE PoC.
## ⚠️ Disclaimer
This repository is for **educational and authorized security research purposes only**. The PoCs demonstrate how malicious model files can compromise systems at load time. Always use `safe_mode=True` and avoid loading untrusted model files.
## 🔗 Submission Details
This research is part of the **Protect AI / Huntr** bounty program for Model File Vulnerabilities (MFV).
|