hacnho's picture
Upload README.md with huggingface_hub
c5c6f74 verified
|
Raw
History Blame Contribute Delete
692 Bytes
metadata
license: mit
tags:
  - security-research
  - picklescan-bypass
  - modelscan-bypass
  - poc

PoC: pickle scanner bypass (picklescan + modelscan) — pathlib.Path.write_bytes + sqlite3 load_extension

Security-research artifact for a huntr Model File Vulnerability disclosure. malicious.pkl is a self-contained pickle that both picklescan 1.0.4 and modelscan 0.8.8 report as CLEAN yet executes native code on pickle.load: pathlib.Path.write_bytes writes an embedded SQLite extension to /tmp, then sqlite3 load_extension loads it. The payload is BENIGN — it only writes a marker file (/tmp/oneshot_marker) to demonstrate code execution. Do not load untrusted pickles.