etwithin
/

pt2-scanner-bypass-poc

Model card Files Files and versions

YAML Metadata Warning:empty or missing yaml metadata in repo card

Check out the documentation for more information.

Torch Export (.pt2) Scanner Bypass PoC

Vulnerability

Malicious pickle payload hidden in the sample_inputs/model.pt nested archive within a .pt2 file.

Scanner Bypass

modelscan 0.8.8: No scanner registered for .pt2 extension → 0 issues reported
picklescan 1.0.4: Does not scan .pt2 files → 0 files scanned

ACE on Load

torch.export.load() calls deserialize_torch_artifact() which:

First tries torch.load(buffer, weights_only=True) → fails (our payload uses importlib)
Silently falls back to torch.load(buffer, weights_only=False) → ACE triggered

Payload Chain

importlib.import_module → marshal.loads → types.FunctionType → arbitrary code execution

None of these are in picklescan's or modelscan's dangerous globals lists.

Reproduction

from torch.export import load
# This triggers ACE via weights_only=False fallback
ep = load("malicious_model.pt2")
# Check /tmp/pt2_ace_proof.txt

Environment

PyTorch 2.10.0
modelscan 0.8.8
picklescan 1.0.4
Python 3.12

Downloads last month: -; Downloads are not tracked for this model. How to track

Inference Providers NEW

This model isn't deployed by any Inference Provider. 🙋 Ask for provider support