TorchScript v1.4 (.ts) MFV PoC β€” Authorized Security Research

Authorization: huntr.com / Protect AI MFV bug bounty program. All work local in a Python venv. Responsible disclosure only. Human-submitted.

Summary

Format: TorchScript v1.4 (.ts) Bypass: picklescan 1.0.4 + modelscan 0.8.8 Modes bypassed: all 4 (direct + directory scan for both scanners) RCE via: joblib.load('malicious.ts') Technique: bzip2-compressed joblib payload Tested: 2026-06-25

Files

  • malicious.ts β€” bzip2-compressed joblib payload with .ts extension
  • poc-ts.py β€” reproduction script
  • README.md β€” this file

Reproduction

pip install picklescan modelscan joblib

python3 poc-ts.py

picklescan -p malicious.ts
picklescan -p .
modelscan  -p malicious.ts
modelscan  -p .

python3 -c "
import joblib
print('--- BEFORE LOAD ---')
joblib.load('malicious.ts')
print('--- AFTER LOAD ---')
"
Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. πŸ™‹ Ask for provider support