hacnho's picture
Upload README.md with huggingface_hub
c5c6f74 verified
|
Raw
History Blame Contribute Delete
692 Bytes
---
license: mit
tags: [security-research, picklescan-bypass, modelscan-bypass, poc]
---
# PoC: pickle scanner bypass (picklescan + modelscan) — `pathlib.Path.write_bytes` + `sqlite3` load_extension
Security-research artifact for a huntr Model File Vulnerability disclosure. `malicious.pkl` is a self-contained
pickle that **both `picklescan` 1.0.4 and `modelscan` 0.8.8 report as CLEAN** yet executes native code on
`pickle.load`: `pathlib.Path.write_bytes` writes an embedded SQLite extension to `/tmp`, then `sqlite3`
`load_extension` loads it. The payload is BENIGN — it only writes a marker file (`/tmp/oneshot_marker`) to
demonstrate code execution. Do not load untrusted pickles.