Hugging Face's logo

phenggeler
/
tflite-bypass-poc

LiteRT
Model card Files
xet
 Community

You need to agree to share your contact information to access this model

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

Log in or Sign Up to review the conditions and access this model content.

YAML Metadata Warning:empty or missing yaml metadata in repo card

Check out the documentation for more information.

TFLite Scanner Bypass PoC

⚠️ Security Research — Gated Access Required

Dual scanner bypass for TFLite (.tflite) model files.

Vulnerability Summary

Scanners: modelscan 0.8.7, picklescan 1.0.1
Impact: Complete dual scanner bypass enabling arbitrary code execution
Root Cause: The malicious file uses joblib's numpy byte interleaving technique. When scanners parse the pickle stream with pickletools.genops(), raw numpy array bytes crash the parser before reaching the malicious __reduce__ call. Neither scanner can detect the hidden payload.

For modelscan specifically, .tflite is not in any scanner's supported_extensions list, so the file is not even scanned as a known format. The joblib/numpy technique additionally defeats any generic pickle scanning.

Scanner Results

Scanner Result
modelscan 0.8.7 ✅ "No issues found!"
picklescan 1.0.1 ✅ "Infected: 0"

File

  • malicious_model.tflite — Malicious model file with eval payload hidden behind numpy byte barrier

Reproduction 

import joblib

# Loading triggers ACE — payload executes during deserialization
model = joblib.load("malicious_model.tflite")

Disclosure

Reported through Huntr's responsible disclosure program.

Downloads last month
-
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support