You need to agree to share your contact information to access this model

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

YAML Metadata Warning: empty or missing yaml metadata in repo card (https://huggingface.co/docs/hub/model-cards#model-card-metadata)

ExecuTorch Scanner Bypass PoC

Vulnerability Summary

Format: ExecuTorch (.pte)
Scanner Bypass: modelscan 0.8.7 + picklescan 1.0.1 (DUAL BYPASS)
Impact: Arbitrary Code Execution via malicious model file
Bounty Target: ExecuTorch MFV

Technical Details

This PoC demonstrates a dual scanner bypass for .pte model files:

modelscan bypass: The .pte extension is not in modelscan's supported file extensions list. modelscan skips scanning entirely, returning "No issues found."
picklescan bypass: The malicious payload uses joblib's numpy byte interleaving technique. Even when scanned directly, pickletools.genops() crashes on raw numpy bytes embedded in the joblib pickle format before reaching the malicious __reduce__ call.
ACE vector: The file loads successfully with joblib.load(), executing arbitrary code. In ML pipelines, model files are commonly loaded with joblib/pickle regardless of extension.

Reproduction

# Scan with modelscan - reports no issues
modelscan -p malicious_model.pte

# Scan with picklescan - reports no issues  
picklescan -p malicious_model.pte

# Load with joblib - executes arbitrary code
python3 -c "import joblib; joblib.load('malicious_model.pte')"

Files

malicious_model.pte - Malicious model file (1,471 bytes)
README.md - This file

Scanner Results

modelscan 0.8.7: No issues found (BYPASS)
picklescan 1.0.1: No issues found (BYPASS)
joblib.load(): Executes eval('1+1') = 2 (ACE CONFIRMED)

Downloads last month: -; Downloads are not tracked for this model. How to track

Inference Providers NEW

This model isn't deployed by any Inference Provider. 🙋 Ask for provider support