| | --- |
| | license: mit |
| | language: en |
| | tags: |
| | - security |
| | - vulnerability-research |
| | - model-security |
| | - poc |
| | - multi-format |
| | --- |
| | |
| | # Multi-Format Model Vulnerability & Scanner Bypass Suite |
| |
|
| | This repository contains a suite of Proof-of-Concept (PoC) model files demonstrating critical security vulnerabilities in modern AI model serialization formats. This research focuses on **Load-Time Arbitrary Code Execution (ACE)** and **Scanner Evasion** techniques. |
| |
|
| | ## π Research Highlights |
| |
|
| | - **Scanner Bypass (Safetensors/ZIP Polyglot):** A novel technique that crafts a file valid as both Safetensors and ZIP, allowing malicious payloads to evade automated security scanners (e.g., ModelScan). |
| | - **Multi-Format Coverage:** Demonstrates exploits in `.safetensors`, `.gguf`, `.keras`, and `.joblib`. |
| | - **Memory Corruption:** Integer overflow and OOB read vulnerabilities in GGUF metadata parsing. |
| | - **ACE via Deserialization:** Direct command execution during model loading in Joblib and Keras 3. |
| |
|
| | ## π Repository Structure |
| |
|
| | - `submission_poc.py`: Master reproduction script used to generate all artifacts. |
| | - `poc_output/`: Contains the generated malicious model files and the detailed technical report. |
| | - `vulnerability_report.md`: Comprehensive technical analysis, CVSS scoring, and reproduction steps. |
| | - `polyglot_bypass.safetensors`: The scanner bypass PoC. |
| | - `gguf_overflow.gguf`: Memory corruption PoC. |
| | - `module_injection.keras`: Keras 3 ACE PoC. |
| | - `malicious.joblib`: Joblib/Pickle ACE PoC. |
| |
|
| | ## β οΈ Disclaimer |
| |
|
| | This repository is for **educational and authorized security research purposes only**. The PoCs demonstrate how malicious model files can compromise systems at load time. Always use `safe_mode=True` and avoid loading untrusted model files. |
| |
|
| | ## π Submission Details |
| |
|
| | This research is part of the **Protect AI / Huntr** bounty program for Model File Vulnerabilities (MFV). |
| |
|
