MessagePack (.msgpack) MFV PoC β Authorized Security Research
Authorization: huntr.com / Protect AI MFV bug bounty program. All work local in a Python venv. Responsible disclosure only. Human-submitted.
Summary
Format: MessagePack (.msgpack)
Bypass: picklescan 1.0.4 + modelscan 0.8.8
Modes bypassed: all 4 (direct + directory scan for both scanners)
RCE via: joblib.load('malicious.msgpack')
Technique: bzip2-compressed joblib payload
Tested: 2026-06-25
Files
malicious.msgpackβ bzip2-compressed joblib payload with .msgpack extensionpoc-msgpack.pyβ reproduction scriptREADME.mdβ this file
Reproduction
pip install picklescan modelscan joblib
python3 poc-msgpack.py
picklescan -p malicious.msgpack
picklescan -p .
modelscan -p malicious.msgpack
modelscan -p .
python3 -c "
import joblib
print('--- BEFORE LOAD ---')
joblib.load('malicious.msgpack')
print('--- AFTER LOAD ---')
"
Inference Providers NEW
This model isn't deployed by any Inference Provider. π Ask for provider support