modelscan-bypass-zipfile
Security Research β Modelscan Bypass PoC
Severity: HIGH
Module: zipfile
Description: Zip file extraction β file write to arbitrary paths
Impact: Open zip archives. extractall() writes files. Zip slip via ../ in filenames.
Modelscan Result
$ modelscan scan -p pytorch_model.bin
No issues found! β
(FALSE NEGATIVE)
Tested against: modelscan 0.8.8 (latest)
How It Works
The pickle file uses zipfile which is NOT in modelscan's unsafe_globals blocklist.
When loaded via torch.load() or pickle.loads(), it executes the payload.
Responsible Disclosure
This PoC is part of responsible security research submitted via Huntr MFV program to help ProtectAI improve modelscan's detection capabilities.
Inference Providers NEW
This model isn't deployed by any Inference Provider. π Ask for provider support