ModelScan Compression Bypass PoC

Security research PoC for responsible disclosure via huntr.com.

Files

  • detected_uncompressed.joblib: os.system payload WITHOUT compression. ModelScan DETECTS this (1 CRITICAL).
  • bypass_zlib.joblib: SAME os.system payload WITH zlib compression. ModelScan reports 0 issues.
  • bypass_lz4.joblib: SAME os.system payload WITH lz4 compression. ModelScan reports 0 issues.

Vulnerability

ModelScan v0.8.8 cannot parse compressed joblib files. When joblib.dump() uses compress=3 (zlib) or compress=("lz4", 3), the pickle bytes are compressed. ModelScan's pickletools.genops() cannot parse compressed bytes, so it silently returns no findings.

However, joblib.load() automatically decompresses and unpickles, executing the malicious payload.

Reproduction

Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support