ModelScan Compression Bypass PoC
Security research PoC for responsible disclosure via huntr.com.
Files
- detected_uncompressed.joblib: os.system payload WITHOUT compression. ModelScan DETECTS this (1 CRITICAL).
- bypass_zlib.joblib: SAME os.system payload WITH zlib compression. ModelScan reports 0 issues.
- bypass_lz4.joblib: SAME os.system payload WITH lz4 compression. ModelScan reports 0 issues.
Vulnerability
ModelScan v0.8.8 cannot parse compressed joblib files. When joblib.dump() uses compress=3 (zlib) or compress=("lz4", 3), the pickle bytes are compressed. ModelScan's pickletools.genops() cannot parse compressed bytes, so it silently returns no findings.
However, joblib.load() automatically decompresses and unpickles, executing the malicious payload.
Reproduction
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support