ModelScope image-to-3d YAML PoC
This repository contains a benign proof-of-concept for a ModelScope 1.38.1 image-to-3d model-loading vulnerability.
The relevant file is syncdreamer.yaml. It demonstrates attacker-controlled
Python class resolution through:
Image23DPipeline.__init__ -> load_model() -> OmegaConf.load(syncdreamer.yaml)
-> instantiate_from_config(config.model) -> get_obj_from_str(config["target"])
-> importlib.import_module(module) -> cls(**params).
The PoC target is logging.FileHandler, which creates
/tmp/modelscope_image3d_d22_canary when instantiated. No shell command is
executed.
Expected behavior when loaded through ModelScope's image-to-3d path:
syncdreamer.yamlis parsed.logging.FileHandleris imported and instantiated frommodel.target./tmp/modelscope_image3d_d22_canaryis created.- Loading may then fail because this minimal PoC does not include real model weights; the side effect has already occurred.
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support