YAML Metadata Warning:empty or missing yaml metadata in repo card
Check out the documentation for more information.
NumPy NPZ Scanner Bypass PoC
Vulnerability
Malicious .npz file achieves Arbitrary Code Execution via np.load(allow_pickle=True),
while bypassing both picklescan 1.0.4 and modelscan 0.8.8.
Technique
NPZ files are ZIP archives of NPY files. NPY files with dtype=object contain
pickled data. Our payload uses marshal.loads + types.FunctionType +
importlib.import_module chain. All three globals are Suspicious (not Dangerous)
in picklescan, and absent from modelscan unsafe_globals.
Additionally, modelscan NPZ scanning is 'not implemented yet'.
Scanner Results
- picklescan 1.0.4: 0 dangerous globals
- modelscan 0.8.8: No issues found (NPZ scanning not implemented)
Reproduction
import numpy as np
data = np.load('malicious_model.npz', allow_pickle=True)
_ = data['arr_0'] # ACE on access
Versions: numpy 2.4.2, picklescan 1.0.4, modelscan 0.8.8, Python 3.12
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support