--- license: apache-2.0 tags: - security-research - messagepack - msgpack - model-file-vulnerability - huntr-mfv --- # MessagePack `msgpack.load()` Trigger Backdoor PoC This repository contains a benign security research proof of concept for a MessagePack model-file vulnerability report. Files: - `control_msgpack_classifier.msgpack` - `malicious_msgpack_trigger.msgpack` - `reproduce.py` The malicious MessagePack file is loaded with `msgpack.load()`. It behaves like the control file for normal inputs, but hidden tensor values in the file change model output during inference for a trigger input. Tested runtime: - `msgpack==1.1.2` - `numpy==2.4.6` - trigger entrypoint: `msgpack.load(fileobj, ...); numpy inference` Scanner result: - `modelscan==0.8.8` - result: `No issues found!` - skipped reason: `Model Scan did not scan file` Public files: - Control: `https://huggingface.co/hacnho/msgpack-load-trigger-backdoor-poc/resolve/main/control_msgpack_classifier.msgpack` - Malicious: `https://huggingface.co/hacnho/msgpack-load-trigger-backdoor-poc/resolve/main/malicious_msgpack_trigger.msgpack` - Reproducer: `https://huggingface.co/hacnho/msgpack-load-trigger-backdoor-poc/resolve/main/reproduce.py` Reproduction: ```bash python -m venv /tmp/msgpack-load-trigger-poc-venv . /tmp/msgpack-load-trigger-poc-venv/bin/activate pip install 'numpy' 'msgpack==1.1.2' 'modelscan==0.8.8' curl -L -o control_msgpack_classifier.msgpack \ https://huggingface.co/hacnho/msgpack-load-trigger-backdoor-poc/resolve/main/control_msgpack_classifier.msgpack curl -L -o malicious_msgpack_trigger.msgpack \ https://huggingface.co/hacnho/msgpack-load-trigger-backdoor-poc/resolve/main/malicious_msgpack_trigger.msgpack curl -L -o reproduce.py \ https://huggingface.co/hacnho/msgpack-load-trigger-backdoor-poc/resolve/main/reproduce.py python reproduce.py control_msgpack_classifier.msgpack malicious_msgpack_trigger.msgpack ``` Expected output: ```json "control_trigger": { "preds": [1, 1] } "malicious_trigger": { "preds": [1, 0] } "no_issues_found": true ```