etwithin
/

mlflow-scanner-bypass-poc

Model card Files Files and versions

YAML Metadata Warning:empty or missing yaml metadata in repo card

Check out the documentation for more information.

MLFlow Scanner Bypass PoC

Vulnerability

Malicious pickle in MLFlow model's python_model.pkl achieves ACE while bypassing both scanners.

Scanner Bypass

modelscan 0.8.8: 0 issues on python_model.pkl (marshal+FunctionType chain bypasses detection)
picklescan 1.0.4: 0 infected files

ACE on Load

import mlflow
model = mlflow.pyfunc.load_model("./")  # ACE triggered during pickle deserialization

Payload Chain

importlib.import_module → marshal.loads → types.FunctionType → arbitrary code execution

Environment

MLFlow 3.10.1
modelscan 0.8.8
picklescan 1.0.4
Python 3.12.8

Downloads last month: -; Downloads are not tracked for this model. How to track

Inference Providers NEW

This model isn't deployed by any Inference Provider. 🙋 Ask for provider support