YAML Metadata Warning:empty or missing yaml metadata in repo card
Check out the documentation for more information.
PickleScan Bypass PoC - marshal.loads + types.FunctionType
Vulnerability
PickleScan v1.0.4 fails to detect a gadget chain using:
marshal.loads(not in blocklist)types.FunctionType(onlytypes.CodeTypeis blocked)builtins.__import__(not in builtins blocklist)
Files
malicious_model.pt- Malicious PyTorch model that bypasses picklescanpoc_generate_malicious_model.py- Script to generate the malicious model
Reproduction
# Scan - shows 0 issues
from picklescan.scanner import scan_pytorch
with open("malicious_model.pt", "rb") as f:
result = scan_pytorch(f, "test.pt")
print(f"issues={result.issues_count}") # 0!
# Load - triggers RCE
import torch
torch.load("malicious_model.pt", weights_only=False)
# Creates /tmp/picklescan_bypass_poc
Impact
Malicious model files pass picklescan security scanning while achieving arbitrary code execution when loaded.
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support