You need to agree to share your contact information to access this model

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

YAML Metadata Warning: empty or missing yaml metadata in repo card (https://huggingface.co/docs/hub/model-cards#model-card-metadata)

Core ML Scanner Bypass PoC

Vulnerability Summary

Format: Core ML (.mlmodel)
Scanner Bypass: modelscan 0.8.7 + picklescan 1.0.1 (DUAL BYPASS)
Impact: Arbitrary Code Execution via malicious model file
Bounty Target: Core ML MFV

Technical Details

This PoC demonstrates a dual scanner bypass for .mlmodel model files:

modelscan bypass: The .mlmodel extension is not in modelscan's supported file extensions list. modelscan skips scanning entirely, returning "No issues found."
picklescan bypass: The malicious payload uses joblib's numpy byte interleaving technique. Even when scanned directly, pickletools.genops() crashes on raw numpy bytes embedded in the joblib pickle format before reaching the malicious __reduce__ call.
ACE vector: The file loads successfully with joblib.load(), executing arbitrary code. In ML pipelines, model files are commonly loaded with joblib/pickle regardless of extension.

Reproduction

# Scan with modelscan - reports no issues
modelscan -p malicious_model.mlmodel

# Scan with picklescan - reports no issues  
picklescan -p malicious_model.mlmodel

# Load with joblib - executes arbitrary code
python3 -c "import joblib; joblib.load('malicious_model.mlmodel')"

Files

malicious_model.mlmodel - Malicious model file (1,471 bytes)
README.md - This file

Scanner Results

modelscan 0.8.7: No issues found (BYPASS)
picklescan 1.0.1: No issues found (BYPASS)
joblib.load(): Executes eval('1+1') = 2 (ACE CONFIRMED)

Downloads last month: 3

Inference Providers NEW

This model isn't deployed by any Inference Provider. 🙋 Ask for provider support