Hugging Face's logo

Skyflocka
/
numpy-npz-modelscan-bypass-poc

security-research
poc
Model card Files
xet
 Community
numpy-npz-modelscan-bypass-poc / README.md
Skyflocka's picture
Skyflocka
Upload README.md with huggingface_hub
0d14343 verified
preview code
|
raw
history blame contribute delete
1.08 kB
metadata 
tags:
  - security-research
  - poc

NPZ ModelScan Bypass PoC

Security Research - Huntr MFV Submission

This repository demonstrates that ModelScan completely skips .npz files, reporting them as SCAN_NOT_SUPPORTED. A malicious .npz file containing arbitrary code execution payloads passes ModelScan with zero issues detected.

Files

  • malicious_model.npz - NPZ with os.system payload (simple RCE)
  • importlib_bypass.npz - NPZ with importlib.import_module bypass chain

Reproduction 

import numpy as np

# WARNING: This executes code. Use in isolated environment only.
data = np.load('malicious_model.npz', allow_pickle=True)
result = data['weights']  # RCE triggers here

ModelScan Result 

$ modelscan -p malicious_model.npz
Total issues: 0
Skipped: SCAN_NOT_SUPPORTED - Model Scan did not scan file

Impact

An attacker can upload a malicious .npz model file to any model hub. When a user downloads and loads the file with numpy.load(allow_pickle=True), arbitrary code executes. ModelScan provides no protection for this format.