Benign PoC β modelscan legacy-PyTorch scan-truncation bypass
Coordinated-disclosure proof-of-concept for Protect AI modelscan, submitted via huntr (Model File Vulnerability).
modelscan's scan_pytorch scans a legacy (non-zip) PyTorch file with multiple_pickles=False
from offset 0, so it disassembles only the first of the file's four concatenated pickles
(the MAGIC_NUMBER long, which has no globals) and stops β the payload pickle (segment #4)
is never inspected. So a malicious legacy .pt/.bin/.pth/.ckpt scans clean yet runs
code on torch.load(..., weights_only=False).
Both files below carry the identical benign payload:
evil_legacy.ptβtorch.save(..., _use_new_zipfile_serialization=False)β modelscan: No issues found (the bypass)evil_zip.ptβtorch.save(..., _use_new_zipfile_serialization=True)β modelscan: CRITICALposix.system(control)
Reproduce
pip install torch modelscan
modelscan -p evil_legacy.pt # -> No issues found (bypass)
modelscan -p evil_zip.pt # -> CRITICAL posix.system (same payload, caught in zip format)
The control proves modelscan detects the exact same payload when the format routes it through
PickleUnsafeOpScan, but misses it in the legacy format.
Strictly benign: the payload's __reduce__ only runs os.system("echo CELVEX-MFV-MARKER > /tmp/β¦")
β it writes a harmless marker string. No weaponization. Confirmed against released modelscan 0.8.8, torch 2.12.1.