Hugging Face's logo

manja316
/
modelscan-bypass-poplib

PyTorch
security-research
modelscan-bypass
Model card Files
xet
 Community
modelscan-bypass-poplib / README.md
manja316's picture
manja316
Upload folder using huggingface_hub
22fdb7b verified
preview code
|
raw
history blame contribute delete
868 Bytes
metadata 
library_name: pytorch
tags:
  - security-research
  - modelscan-bypass
license: mit

ModelScan Bypass PoC — poplib.POP3

Security research for responsible disclosure via Huntr MFV program.

Vulnerability

poplib.POP3 is not in modelscan's unsafe_globals blocklist. When a pickle file containing this global is scanned by modelscan, it reports "No issues found." However, loading the file with pickle.loads() / torch.load() triggers immediate TCP connection to attacker-controlled POP3 server on deserialization (SSRF/data exfiltration).

Impact

  • Severity: HIGH
  • Effect: immediate TCP connection to attacker-controlled POP3 server on deserialization (SSRF/data exfiltration)
  • Bypass class: Module blocklist gap

Reproduction 

pip install modelscan
modelscan scan -p bypass_poc.pkl
# Output: "No issues found!"