You need to agree to share your contact information to access this model

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

YAML Metadata Warning:empty or missing yaml metadata in repo card

Check out the documentation for more information.

[CRITICAL] Architectural Scanner Bypass in .safetensors via Polymorphic Metadata Overlap

⚠️ ATTENTION: This is a malware model deployed here strictly for research demonstration and bug bounty verification. Please do not use it elsewhere for any illegal purpose. The user takes full legal responsibility for any abuse.

Citation: Peng Zhou, “How to Make Hugging Face to Hug Worms: Discovering and Exploiting Unsafe Pickle.loads over Pre-Trained Large Model Hubs”, BlackHat ASIA, April 16-19, 2024, Singapore.

Summary

This repository contains a Proof of Concept (PoC) for a novel architectural bypass in .safetensors files. It demonstrates how a malicious payload can be hidden within the header buffer, bypassing security scanners like modelscan that only validate the JSON portion of the metadata.

File Information

File: bypass_demo.safetensors
Vulnerability: Polymorphic Metadata Overlap (Pickle RCE)
Status: Verified against modelscan v0.8.8.

Granting Access

This repository is GATED. Access is manually granted to:

protectai-bot (Protect AI / Huntr Verification)
Authorized security researchers.

Downloads last month: -; Downloads are not tracked for this model. How to track

Inference Providers NEW

This model isn't deployed by any Inference Provider. 🙋 Ask for provider support