Dual Scanner Bypass PoC: picklescan 1.0.4 + modelscan 0.8.8
WARNING: Security research. DO NOT load model files from this repository.
Vulnerability
4 distinct chains achieve arbitrary code execution while evading ML model security scanners. Chain 4 bypasses BOTH picklescan AND modelscan simultaneously with 0 issues detected.
Bypass Chains
| Chain | Globals | picklescan | modelscan |
|---|---|---|---|
| 1 | marshal.loads + types.FunctionType + builtins.import | 0 issues | 1 issue |
| 2 | codeop.Compile + types.FunctionType + builtins.import | 0 issues | 1 issue |
| 3 | codeop.compile_command + types.FunctionType + builtins.import | 0 issues | 1 issue |
| 4 | marshal.loads + types.FunctionType + importlib.import_module | 0 issues | 0 issues |
Files
| File | Chain | Bypasses |
|---|---|---|
| exploit_dual_bypass.pkl / .pt | 4 | picklescan + modelscan |
| exploit_chain1.pkl / .pt | 1 | picklescan |
| exploit_chain2.pkl / .pt | 2 | picklescan |
| exploit_chain3.pkl / .pt | 3 | picklescan |
| exploit_model.pkl / .pt | 1 | picklescan |
Responsible Disclosure
Reported via huntr.com model format vulnerability program.
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support