Hugging Face's logo

wulonchia
/
modelscan-pickle-bypass-poc

Joblib
security-research
poc
Model card Files
xet
 Community

ModelScan Pickle Scanner Bypass PoC

โš ๏ธ SECURITY RESEARCH ONLY - DO NOT LOAD THESE FILES โš ๏ธ

This repository contains proof-of-concept files demonstrating a bypass of ModelScan's pickle scanner.

Files

  • malicious_model.joblib โ€” Uses distutils.spawn.spawn() to execute system commands (Python 3.9-3.11). Bypasses BOTH ModelScan and picklescan.
  • cprofile_bypass.joblib โ€” Uses cProfile.run() for arbitrary code execution. Bypasses ModelScan only.
  • timeit_bypass.joblib โ€” Uses timeit.timeit() for arbitrary code execution. Bypasses ModelScan only.
  • poc_modelscan_bypass.py โ€” Full PoC script with all vectors.

Verification 

pip install modelscan
modelscan -p malicious_model.joblib
# Expected: 0 issues detected (BYPASS!)

Impact

These files will execute arbitrary code when loaded with joblib.load() or pickle.load(), while completely evading ModelScan detection.

Affected Versions

  • ModelScan: all versions (tested on latest)
  • Python: 3.9-3.11 for distutils vector, all 3.x for cProfile/timeit vectors
Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. ๐Ÿ™‹ Ask for provider support