YAML Metadata Warning:empty or missing yaml metadata in repo card
Check out the documentation for more information.
ModelScan Extension Mismatch Bypass PoC
Vulnerability
ModelScan routes scanners based on file extension. A malicious pickle payload
saved with .bin or .pt extension completely bypasses detection because
these extensions are not mapped to the pickle scanner.
Same pattern as CVE-2025-10155 (picklescan) but in ModelScan.
Files
malicious_model.bin- Malicious pickle disguised as PyTorch binarymalicious_model.pt- Malicious pickle disguised as PyTorch modelpoc_full.py- Full PoC script
Reproduce
pip install modelscan torch
# Step 1: Scan โ ModelScan says SAFE
modelscan -p malicious_model.bin
# Result: No issues found
# Step 2: Load โ Code executes
python -c "import torch; torch.load('malicious_model.bin', weights_only=False)"
# Result: arbitrary code execution
# Compare with .pkl extension โ ModelScan DETECTS it
modelscan -p malicious_model.pkl
# Result: 1 issue found (unsafe operator)
Impact
10 extensions bypass ModelScan: .bin, .pt, .pth, .safetensors, .onnx, .keras, .h5, .npz, .model, .weights
Most critical: .bin and .pt because they are standard PyTorch formats
commonly distributed on HuggingFace and loaded with torch.load().
Fix
ModelScan should detect pickle format by content inspection (magic bytes), not just file extension. Or add .pt/.pth/.bin to the pickle scanner mapping.