README.md

---
tags:
- security
- msgpack
- rllib
- model-format
license: other
---

# Benign MessagePack / RLlib Checkpoint Security PoC

This repository stages a safe proof-of-concept for a MessagePack-based ML checkpoint loading issue. The artifact is a tiny `state.msgpack` file that follows the Ray RLlib checkpoint state-file shape and carries a NumPy object-dtype array encoded through `msgpack-numpy`.

When decoded through Ray RLlib's `restore_from_path()` MessagePack path, the current `msgpack-numpy` decoder reaches `pickle.loads()` for object-dtype array data. The embedded payload only writes a local marker file named `MSG_PACK_NUMPY_MARKER.txt`.

Public PoC URL: https://huggingface.co/pragnyanramtha/rllib-msgpack-numpy-object-array-ace-poc

## Files

- `state.msgpack` - benign PoC checkpoint state file.
- `verify_poc.py` - verifies plain MessagePack parsing, direct `msgpack-numpy` parsing, and Ray RLlib restore behavior.
- `build_poc.py` - reproduces the artifact generation.
- `artifact_manifest.json` - SHA256, size, and marker details.
- `results.json` - local verification output.
- `scanner_output_file.json` - ModelScan 0.8.8 output for `state.msgpack`.
- `scanner_output_dir.json` - ModelScan 0.8.8 output for this staged folder.
- `requirements.txt` - pinned reproduction dependencies used for this validation.

## Tested Versions

- Python 3.12.12
- Ray 2.55.1
- msgpack 1.1.2
- msgpack-numpy 0.4.8
- NumPy 2.4.4
- ModelScan 0.8.8

## Reproduction

```bash
python -m venv .venv
.venv/Scripts/python -m pip install -r requirements.txt
.venv/Scripts/python build_poc.py
.venv/Scripts/python verify_poc.py
.venv/Scripts/modelscan -p state.msgpack -r json -o scanner_output_file.json --show-skipped
```

On Linux/macOS, replace `.venv/Scripts/python` with `.venv/bin/python`.

Expected behavior:

- Plain `msgpack.load()` parses the file as data and does not create the marker.
- `msgpack_numpy.load()` creates `MSG_PACK_NUMPY_MARKER.txt`.
- Ray RLlib `Checkpointable.restore_from_path()` creates `MSG_PACK_NUMPY_MARKER.txt`.
- ModelScan 0.8.8 reports `total_scanned: 0` and skips `state.msgpack` as `SCAN_NOT_SUPPORTED`.

## Evidence Summary

Artifact:

```text
SHA256: 3ddf739096ea87558f341e1705b607510e7e7f3af4c37841b51bd8809b52e465
Size: 506 bytes
```

Runtime:

```json
"ray_rllib_restore_check": {
  "restored_keys": ["format", "object_array", "safe_weights"],
  "object_array_type": "ndarray",
  "object_array_repr": "array([34], dtype=object)",
  "marker_created": true,
  "marker_text": "msgpack_numpy_object_array_marker\n"
}
```

Scanner:

```json
"scanned": {"total_scanned": 0},
"skipped": {
  "total_skipped": 1,
  "skipped_files": [{
    "category": "SCAN_NOT_SUPPORTED",
    "description": "Model Scan did not scan file",
    "source": "state.msgpack"
  }]
}
```

## Why This Is ML-Format Relevant

Ray RLlib documents checkpoints as model/training artifacts that can be saved to local disk or cloud storage and restored through `restore_from_path()` / `from_checkpoint()`. The docs state that checkpoint directories contain a `pickle` or `msgpack` state file, and current RLlib source loads `state.msgpack` with a `msgpack` module patched by `msgpack-numpy`.

Primary references:

- Ray RLlib checkpoint docs: https://docs.ray.io/en/latest/rllib/checkpoints.html
- Ray RLlib source for `state.msgpack` restore and `try_import_msgpack`: https://docs.ray.io/en/latest/_modules/ray/rllib/utils/checkpoints.html
- msgpack-numpy 0.4.8 decoder source: https://github.com/lebedov/msgpack-numpy/blob/0.4.8/msgpack_numpy.py
- ModelScan 0.8.8 supported scanner extensions: https://github.com/protectai/modelscan/blob/v0.8.8/modelscan/settings.py

## Security Impact

An attacker-controlled RLlib `.msgpack` checkpoint state file can trigger arbitrary Python execution when a victim restores the checkpoint through RLlib's MessagePack path. This PoC uses a harmless local marker write, but the primitive is Python pickle execution hidden inside a MessagePack/NumPy serialization layer.

Limitations:

- This is not a native parser memory-corruption issue.
- It requires a victim workflow that restores an untrusted Ray RLlib MessagePack checkpoint or otherwise decodes the artifact through `msgpack-numpy`.
- The scanner evidence is a ModelScan unsupported-format gap for a dangerous `.msgpack` artifact, not a claim that every Hugging Face scanner accepts the file as clean.

## Mitigations

- Do not restore untrusted RLlib MessagePack checkpoints.
- Reject or sanitize object-dtype arrays during MessagePack checkpoint restore.
- Avoid `msgpack_numpy.patch()` for untrusted checkpoint data, or make the object-dtype pickle path opt-in only.
- Add scanner support for `.msgpack` model artifacts that recursively detects nested pickle payloads in `msgpack-numpy` object-array records.