TorchScript v1.4 (.ts) MFV PoC β Authorized Security Research
Authorization: huntr.com / Protect AI MFV bug bounty program. All work local in a Python venv. Responsible disclosure only. Human-submitted.
Summary
Format: TorchScript v1.4 (.ts)
Bypass: picklescan 1.0.4 + modelscan 0.8.8
Modes bypassed: all 4 (direct + directory scan for both scanners)
RCE via: joblib.load('malicious.ts')
Technique: bzip2-compressed joblib payload
Tested: 2026-06-25
Files
malicious.tsβ bzip2-compressed joblib payload with .ts extensionpoc-ts.pyβ reproduction scriptREADME.mdβ this file
Reproduction
pip install picklescan modelscan joblib
python3 poc-ts.py
picklescan -p malicious.ts
picklescan -p .
modelscan -p malicious.ts
modelscan -p .
python3 -c "
import joblib
print('--- BEFORE LOAD ---')
joblib.load('malicious.ts')
print('--- AFTER LOAD ---')
"
Inference Providers NEW
This model isn't deployed by any Inference Provider. π Ask for provider support