PyTorch legacy tar scanner bypass PoC
This repository is a security research artifact for a huntr Model File Vulnerability report.
Do not load this file outside an isolated test environment.
Files
legacy_tar_payload.pt
reproduce.py
requirements.txt
Summary
legacy_tar_payload.pt is a minimal old-style PyTorch legacy tar checkpoint. It contains these tar members:
storages
tensors
pickle
The storages and tensors metadata are empty. The object graph is stored in the tar member named pickle.
Picklescan selects .pt files for PyTorch scanning, but its old PyTorch format branch does not implement legacy tar extraction. The scanner therefore reports the outer .pt file as clean, while PyTorch still accepts the legacy tar file and unpickles the embedded pickle member when called with weights_only=False.
The payload writes this marker file in the repository directory:
pytorch_legacy_tar_marker.txt
with this text:
PYTORCH_LEGACY_TAR_EXECUTED
Reproduction
Use an isolated Python environment.
python -m venv .venv
source .venv/bin/activate
pip install --index-url https://download.pytorch.org/whl/cpu torch==2.11.0+cpu
pip install picklescan
python reproduce.py
Expected result:
Picklescan scan of legacy tar .pt:
Scanned files: 1
Infected files: 0
Dangerous globals: 0
Direct scan of tar member named 'pickle':
issues_count: 1
builtins.eval
PyTorch loader control:
torch version: 2.11.0+cpu
marker created: True
marker text: PYTORCH_LEGACY_TAR_EXECUTED
Intended disclosure context
This artifact demonstrates a scanner/parser semantic gap in PyTorch legacy tar serialization handling. The scanner-supported .pt file is treated as clean because the scanner does not unpack the old-format tar container, while the PyTorch loader reaches the embedded pickle payload.