PoC: pickle scanner bypass (picklescan + modelscan) โ pathlib.Path.write_bytes + sqlite3 load_extension
Security-research artifact for a huntr Model File Vulnerability disclosure. malicious.pkl is a self-contained
pickle that both picklescan 1.0.4 and modelscan 0.8.8 report as CLEAN yet executes native code on
pickle.load: pathlib.Path.write_bytes writes an embedded SQLite extension to /tmp, then sqlite3
load_extension loads it. The payload is BENIGN โ it only writes a marker file (/tmp/oneshot_marker) to
demonstrate code execution. Do not load untrusted pickles.
Inference Providers NEW
This model isn't deployed by any Inference Provider. ๐ Ask for provider support