Hugging Face's logo

manja316
/
modelscan-bypass-wave

security-research
modelscan-bypass
pickle-safety
Model card Files
xet
 Community
modelscan-bypass-wave / README.md
manja316's picture
manja316
Upload README.md with huggingface_hub
ae127f8 verified
preview code
|
raw
history blame contribute delete
882 Bytes
metadata 
license: mit
tags:
  - security-research
  - modelscan-bypass
  - pickle-safety

modelscan-bypass-wave

Modelscan Bypass PoC — wave.open

Severity: MEDIUM Impact: Arbitrary file write — wave.open(path, "wb") creates/overwrites files on disk modelscan version: 0.7.6 (latest on PyPI) Result: "No issues found!" ✅ (false negative)

Chain

wave.open("/target/path", "wb") → creates file at arbitrary path

Why It Works

wave.open is NOT in modelscan's unsafe_globals blocklist. wave is NOT in the blocklist.

Reproduction 

pip install modelscan
modelscan scan -p bypass_poc.pkl
# Output: "No issues found!"
python3 -c "import pickle; pickle.loads(open('bypass_poc.pkl','rb').read())"
# Executes arbitrary code

Responsible Disclosure

This PoC is part of a responsible disclosure to ProtectAI via Huntr MFV program.