metadata
license: mit
tags:
- security-research
- picklescan-bypass
- modelscan-bypass
- poc
PoC: pickle scanner bypass (picklescan + modelscan) — pathlib.Path.write_bytes + sqlite3 load_extension
Security-research artifact for a huntr Model File Vulnerability disclosure. malicious.pkl is a self-contained
pickle that both picklescan 1.0.4 and modelscan 0.8.8 report as CLEAN yet executes native code on
pickle.load: pathlib.Path.write_bytes writes an embedded SQLite extension to /tmp, then sqlite3
load_extension loads it. The payload is BENIGN — it only writes a marker file (/tmp/oneshot_marker) to
demonstrate code execution. Do not load untrusted pickles.