Upload folder using huggingface_hub

1c00699 verified about 2 months ago

865 Bytes

license: mit
tags:
  - security-research
  - modelscan-bypass

modelscan-bypass-tokenize-open

Security Research — Modelscan Bypass PoC

Severity: HIGH

Module: tokenize

Description: File open via tokenize.open() — bypasses builtins.open block

Impact: Opens any file for reading. Alternative to builtins.open which is blocked.

Modelscan Result

$ modelscan scan -p pytorch_model.bin
No issues found! ✅ (FALSE NEGATIVE)

Tested against: modelscan 0.8.8 (latest)

How It Works

The pickle file uses tokenize which is NOT in modelscan's unsafe_globals blocklist. When loaded via torch.load() or pickle.loads(), it executes the payload.

Responsible Disclosure

This PoC is part of responsible security research submitted via Huntr MFV program to help ProtectAI improve modelscan's detection capabilities.